Procedures for Responding to Data Security Breaches
In addition to a data security policy, each company should also have formal procedures in place to describe the steps that it is required to follow in the event of a security breach that results in the unauthorized disclosure of confidential personal information that the company is maintaining in its electronic and paper-based data systems. The process should be triggered by either actual evidence of a security breach (i.e., acquisition of confidential personal information by an unauthorized person) or the occurrence of events that create a reasonable belief in the minds of company officials that a security breach is likely to have taken place (e.g., suspicious loss or theft of a computer or device that contains unencrypted confidential personal information). The first step after the problem is noticed should be controlling and containing the systems that appear to have been breached and launching a preliminary internal investigation to ascertain the scope of the breach. The internal investigation should be conducted with the assistance of outside forensic investigators. The company should also contact law enforcement agencies (i.e., the Federal Bureau of Investigation and state and local police departments) to notify them about the breach and honor the instructions of those agencies as to whether or not the company should go forward with notifying affected persons or wait until such time as notice would not impede any law enforcement investigation. Assuming that the law enforcement agencies do not object, the company should than take the necessary steps to comply with applicable federal, state and local requirements to notice affected individuals about the unauthorized access to their confidential personal information. The specific requirements regarding the contents and timing of the notice, including the need to notify credit reporting agencies, should be verified. Finally, in the case of public companies that suffer a security breach, a report of the breach should be made in the company annual and quarterly filings with the SEC (i.e., Forms 10-K and 10-Q) and persons within the company who have notice of the breach should be barred from trading securities of the company until a public announcement of the breach has been made and disseminated in the financial markets.