The regulator's desire to make a broader policy statement.The affected organization's response, and.The consumer demographic affected (e.g., the elderly),.Within this universe of incidents then, what raises red flags for controlling government entities? Regulators look at several factors when deciding whether to pursue an investigation, including: Early and transparent communication with stakeholders as outlined below is essential. In such scenarios an organization must steel itself for multiple and protracted investigations. This breach may draw the attention (and ire) of state Attorneys General that maintain jurisdiction as well as the company's primary insurance regulators. This is clearly large-scale because of the number of affected patients, and it involves information that, while not protected by all breach notification statutes, may be viewed by consumers as "personal" nonetheless. She then appears to sell this information on the dark web. For example, a hacker infiltrates a health insurance company's network and exfiltrates the Social Security numbers and health diagnoses information for 15 million patients. Some incidents will most assuredly garner regulatory scrutiny. Regulators often include state Attorneys General and/or a primary industry regulator such as a Commissioner of Insurance or State Corporation Commission. When assessing notification to regulators, businesses may want to consider a strategy at the incident's outset of ongoing communication with updates and developments as the matter evolves. Ultimately, notice to affected consumers may be required once the incident is confirmed to be a breach. It will be a challenge to track down all 50 flash drives and it will likely take the organization significant time to fully uncover the facts if they fully uncover them at all. Importantly, if indeed present, these data elements qualify the incident as a breach under many states' breach notification statutes. There is a chance, however, that any one drive contains an employee's Social Security number and the tax withheld from that employee's income. The company is unsure specifically what employee information is contained on each flash drive. In this hypothetical, an employee for a tax preparation service company inadvertently mails flash drives to 50 clients containing tax information pertaining to the company's employees. These are incidents requiring in-depth investigation to determine what data was affected, if any. If the company quickly addresses the incident and provides notice in a timely fashion, governmental entities are unlikely to initiate an investigation, presuming there are no other aggravating factors. Yet this scenario may still be a breach in some states. Presumably, the risk of harm to the customers is relatively low particularly if the recipient is familiar and it can be confirmed the recipient quickly deleted the email. The email provides clear evidence of what was sent and to whom. For example, a company employee accidentally emails a spreadsheet containing the names and credit card numbers of 100 of the company's customers to the wrong individual. These incidents typically involve an event that is smaller in scale and affects an easily identifiable data set. Given this, organizations should be aware that, depending on its size, an incident may enkindle federal regulations and/or 50+ state and territorial laws, and so should consult with legal counsel as appropriate. Information like date of birth, medical information, passport numbers, and biometric data, however, receive varied treatment. Social Security numbers, financial account information, and driver's license or state identification numbers generally trigger laws across the board. Confusingly, each state and regulatory body has its own definition of personal identifying information.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |