Managing Data-Breach Crises


By Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA

Digital Fingerprints  

It's almost impossible for your organization to operate without collecting or holding electronic personally identifiable information (PII), which requires you to protect against data breaches. If you don't, your organization will lose not just its reputation but possibly millions of dollars in damages and victims' class-action lawsuits.

However, despite your best prevention efforts you must still be prepared to investigate a possible data breach.

The European Union directive 95/46/EC describes PII - or "personal data," as the EU calls it - to be "any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." PII includes full names, Social Security numbers, birth dates, addresses, credit card numbers, or any other descriptive information.

At the end of 2007, 39 U.S. state legislatures had introduced breach notification bills that regulate the responsibilities of companies that are data-breach victims. Other countries, including Canada and New Zealand, have enacted data-breach laws. The laws differ but all require organizations, under civil penalty and/or fines, to notify individuals that their personal information has been exposed through a data breach.


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.