Part 4 - Giving notice to individuals

Video Activity

This lesson covers what's involved in giving notice to individuals should an incident occur. Whether a notice is given via e mail, a phone call or in writing, the notice must include: · A description of the categories of information involved · A toll free number to contact the business entity · A toll free number for major credit reporting agencies...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers what's involved in giving notice to individuals should an incident occur. Whether a notice is given via e mail, a phone call or in writing, the notice must include: · A description of the categories of information involved · A toll free number to contact the business entity · A toll free number for major credit reporting agencies · Any necessary additional content

Video Transcription
00:03
>> Now, we've talked about who has to be noticed,
00:03
under what circumstances,
00:03
and how they're supposed to be notified.
00:03
We're going to talk about the content
00:03
of that notice to the individuals.
00:03
This section of the law provides that regardless of
00:03
however the company decides to notify the individual,
00:03
whether that be the individual notification
00:03
and or that mass media notification,
00:03
that the notices,
00:03
all have to include the extent possible.
00:03
Number 1, a description of
00:03
the categories of sensitive
00:03
personally identifiable information
00:03
that was or is reasonably believed to
00:03
have been accessed or acquired
00:03
>> by an unauthorized person.
00:03
>> What this is going to include is any of
00:03
those PII data elements
00:03
such as first name and last name,
00:03
your untruncated social security number,
00:03
usernames, passwords, email addresses,
00:03
any data that the organization knows or
00:03
believes to have been
00:03
stolen has to be included in that notice.
00:03
The second element that has to be
00:03
included in the notice is
00:03
the toll-free number, that one,
00:03
an individual can use to contact
00:03
business entity or the agent of the business,
00:03
and that two, where the individual can learn
00:03
what types of PII
00:03
the business entity maintained about that individual.
00:03
That not only includes the information that
00:03
the organization believes was lost,
00:03
but all information that
00:03
the organization contains about that person.
00:03
Then the last portion is
00:03
the toll-free contact telephone numbers and
00:03
addresses of the major credit reporting agencies
00:03
and the commission.
00:03
There's also additional content
00:03
>> that should be included.
00:03
>> Notwithstanding Section 109,
00:03
a state may require that
00:03
a notice under Section A should also
00:03
include information regarding protection
00:03
and assistance provided by that state.
00:03
Again, it's very important
00:03
for incident responders and those that are sending out
00:03
these notices to not only be aware of
00:03
the federal law but to also be
00:03
aware of applicable state laws.
00:03
The state law can't be any
00:03
less severe or less strict than the federal law,
00:03
but they may pose additional information
00:03
that organizations will have to borrow and abide by.
00:03
Again, it's very important to seek that legal counsel.
00:03
Moving on from the content of a notice to individuals,
00:03
organizations are also required to
00:03
notify the credit reporting agencies.
00:03
The law specifically states where
00:03
a business entity is required to provide
00:03
notification to more than 5,000 individuals
00:03
under that previous section,
00:03
the business entity shall also notify
00:03
all consumer reporting agencies that compile and
00:03
maintain files on the consumers on a nationwide basis.
00:03
Then it goes into the find the section that talks
00:03
about the agencies themselves
00:03
of the timing of distribution of the notices.
00:03
Such notice shall be given to
00:03
consumer credit reporting agencies
00:03
without unreasonable delay.
00:03
This will not delay notice to the affected individuals,
00:03
prior to the distribution of
00:03
the notices to the affected individuals.
00:03
Again, the law is very specific,
00:03
what is required to do by businesses under this act.
00:03
Any time more than 5000 individuals are affected,
00:03
business must notify credit reporting agencies.
00:03
A lot of words there.
00:03
But just to summarize that very succinctly.
00:03
How come some organizations do not report
00:03
information to federal law enforcement and or US suit?
00:03
Some agencies do not do this because some incidents,
00:03
senior management has the discretion in
00:03
reporting or seeking outside assistance.
00:03
Secondly, and probably more prevalent
00:03
is that reporting cyber incidents can
00:03
lead to a loss of reputation
00:03
unless they pose a potential loss
00:03
in customers or revenue.
00:03
Thirdly, many organizations may consider
00:03
cyber incidents as an acceptable business loss
00:03
or simply choose to ignore the risk.
00:03
Now, hopefully a business has actually conducted
00:03
a risk assessment as far as this is concerned,
00:03
and they are willing to accept certain types of risk,
00:03
and that may be okay as
00:03
long as they've taken that into consideration.
00:03
However, simply ignoring
00:03
the risk or not even evaluating it,
00:03
it's not necessarily good due diligence.
00:03
We talked about how target profit
00:03
fell nearly 50 percent that's for a quarter of
00:03
2013 after their breach and
00:03
declined by more than the third for all of 2013.
00:03
That may actually affect a lot of
00:03
businesses and how they essentially don't
00:03
want this information to come out
00:03
and report it to the public
00:03
and into law enforcement agencies.
00:03
The next target agreed to pay
00:03
$10 million and proposed settlement of
00:03
a class-action lawsuit related to
00:03
a huge 2013 data breach.
00:03
Some companies, regardless of what the law says,
00:03
they may not actually do what is
00:03
required and provide that information
00:03
>> to their customers,
00:03
>> to the federal government
00:03
as supposed to into the credit reporting agencies.
00:03
Those are some important considerations
00:03
to take into effect.
00:03
Obviously, if your organization falls
00:03
below the threshold stated in those notices,
00:03
it doesn't necessarily have to
00:03
notify its customers that there was a breach.
00:03
That being said, it may be a token of goodwill to make
00:03
sure that the organization is
00:03
serious about protecting customer data.
00:03
But on the flip side of that,
00:03
it may also expose the organization to the ire of
00:03
their customers and it could result in
00:03
a loss of profit or confidence in the business.
00:03
Those are some very important
00:03
considerations to keep in mind.
00:03
It's probably going to be beyond the scope
00:03
>> of the date of the incident responder and will
00:03
>> be made up at the high levels,
00:03
the sea levels of the corporation,
00:03
and what that legal counsel.
00:03
Again, it's important to be cognizant of the law.
00:03
Again, I understand a lot of
00:03
these decisions will be
00:03
not made by the incident responder.
00:03
But again, it's very important that
00:03
you have that understanding so you
00:03
can't act appropriately or at
00:03
least know when to seek legal guidance.
00:03
Moving beyond notification to
00:03
individuals about their data being breached,
00:03
there's also their quiet notification,
00:03
law enforcement, and for other purposes.
00:03
The first part is that any business entity should
00:03
notify an entity designated by the Secretary of
00:03
Homeland Security to receive
00:03
reports and information about
00:03
information security incidents,
00:03
threats, and vulnerabilities.
00:03
Such agency shall promptly notify and
00:03
provide that same information
00:03
to the United States Secret Service,
00:03
the Federal Bureau of Investigation,
00:03
and the Commission for Civil Law Enforcement purposes,
00:03
and shall make it available as appropriate to
00:03
other federal agencies for law enforcement,
00:03
national security, or computer security purposes if,
00:03
number one, the number of individuals.
00:03
If sensitive, personally identifiable
00:03
information was or is reasonably
00:03
believed to have been accessed or acquired
00:03
by unauthorized persons exceeds 5,000.
00:03
Again, that's notification standards.
00:03
If you're above 5,000,
00:03
you're notifying the individuals
00:03
affected and you're also providing
00:03
that notification to the entity
00:03
designated by the Secretary of DHS.
00:03
Number 2, the security breach involves a database,
00:03
network, or integrated database,
00:03
or other data system containing
00:03
sensitive PII of more than
00:03
>> 500,000 individuals nationwide.
00:03
>> That's very specific and it's often misunderstood.
00:03
Regardless of the size of how much data is stolen,
00:03
if someone gets access to a database that
00:03
has those more than 500,000 individuals,
00:03
law enforcement must be
00:03
notified that someone has done that.
00:03
Number 3, the security breach
00:03
involves databases owned by the federal government.
00:03
I was actually one of the individuals hacked by OPM.
00:03
OPM had to notify the federal government that,
00:03
Hey, I was hacked regardless of the size of the breach.
00:03
Again, it doesn't matter if it's
00:03
one person or if it's 5,000 people.
00:03
If the government owns that database, they have to
00:03
>> notify the designated person wanted by DHS.
00:03
>> Then Number 4,
00:03
the security breach involves
00:03
primarily sensitive personally identifiable information
00:03
of individuals known to the business entity
00:03
>> to be employees and contractors of
00:03
>> the federal government involved
00:03
in national security or law enforcement.
00:03
Again, if your database
00:03
contains PII of those individuals,
00:03
you're required to notify
00:03
the person designated by DHS of that breach.
Up Next