Okay, so now that we've talked about
who has to be noticed under what circumstances and how they're supposed to be notified.
we're gonna talk about the content of that notice to the individuals. So this section of the law provides that regardless of however, the company decides to notify the individual, whether that be the individual notification and or that mass media notification
that notices all have to include the next step
possible. Number one,
a description of the categories of sensitive, personally identifiable information that WAAS
or is reasonably believed to have been accessed, required by unauthorized person.
So what this is gonna include is any of those p I data elements Such is
first name and last name your Unstrung Kate id Social Security number, user names, passwords, mail addresses. Any data that the organization knows or believes to have been stolen has to be included in that notice.
The second element that has to be included in the notice is a toll free number that one
on individual could use to contact the business entity or the agent of the business.
where the individual can learn what types of p I business entity maintained about that individual, so that not only includes the information that the organization believes was lost with all information that the organization contains about that person
and then the last portion is tthe e toll free contact, telephone numbers and addresses of the major credit reporting agencies and the commission,
and there's also additional contact content that should be included, said notwithstanding Section 109 a state may require that a notice under Section A shall also include information regarding protection and assistance provided by that state.
So it's again, it's very important for incident responders and those that are sending out these notices to not only be aware of the federal law but to also be aware of Africa ble state laws. The state law can't be any
less severe or less strict than the federal law,
but they may pose additional information that organizations will have to follow and abide by. So again, it's very important to
seek that legal counsel
so moving on from the content of the notice to individuals. Organizations are also required to notify the credit reporting agencies, so the law specifically states where business entity is required to provide notification to more than 5000 individuals. Under that previous section,
the business entity shall also notify all consumer reporting agencies that compile a maintain files and the consumers on a nationwide basis.
And then it goes into defined section that talks about,
uh, the agencies themselves, of the timing and distribution of the notices such notice show given to consumer credit reporting agencies without unreasonable delay if it will not delay notice to the affected individuals prior to the distribution of the notices to the affected.
again, the law is very specific what is required to do by businesses under this act. So any time more than 5000 individuals are affected,
business must notify credit reporting agencies a lot of words there. But just to summarize that very distinctly
so, how come some organizations do not report information
two federal law enforcement and or US cert
So some agencies do not do this because some incidents senior management has the discretion in reporting her seeking outside assistance.
Secondly, and probably more prevalent, is that reporting cyber incidents can lead to a loss of reputation. In this, they pose a potential loss and customers revenue.
many organizations may consider cyber incident as an acceptable business loss or simply choose to ignore the risk.
now, hopefully, a business has actually conducted a risk assessment. A sports. This is concerned, and they are willing to accept certain types of risk. And that may be okay as long as they've taken that into consideration, however, simply ignoring the risk or not even evaluating. And I's not necessarily
So we talked about how target profit fell nearly 50%. It's fourth quarter of 2013 after their breach and declined by more than the third for all 2013. So that may actually affect a lot of businesses and how they essentially don't want this information to come out
and reported to the public entered. Law enforcement agencies
and the next target agree to pay $10 million in proposed settlement of a class action lawsuit related to a huge 2013.
So some companies, regardless of what the law says, they may not actually do what is required and provide that information to their customers to the,
federal government assisted supposed to into the credit reporting agencies. So
those are some important considerations taken effect. Obviously, if your if your organization falls below the threshold stated in those notices, it doesn't necessarily have to notify its customers that there was a breach.
That, being said, it may be a token of goodwill that may show that the organization serious about protecting customer data.
On the flip side of that,
it may may also expose the organization to the ire of their customers, and it could result in a loss of profit of confidence in the business, said those were some very important considerations to keep in mind. And it's probably going to be beyond the scope of the incident responders
and will be made up of very high levels of sea levels of the corporation
on with that legal counsel. So again, it's important to be cognisant of the law again. I understand a lot of these thes decisions will be not made by the incident responders, but again, it's very important that you you happen understanding so you can act appropriately
or at least know when to seek legal guidance.
moving beyond notification to individuals about their database breach, there's also their partner notification law enforcement on for other purposes. So
The first part is that any business entity shall notify entity designated by the secretary of Homeland Security to receive reports and information about information security incidents,
threats, vulnerabilities. Such agency shall promptly notify and provide that same information to the United States. Secret Service. The Federal Bureau of Investigation in the Commission for Civil Law Enforcement purposes and she'll make it available is appropriate to other federal agencies for law enforcement. National security,
Arkham Period. Computer security purposes
The number of individuals
who's sensitive, personally identifiable information. WAAS
or is reasonably believed to have been accessed or acquired by unauthorized person succeeds. 5000 So again, that's that notification standards? A. You're above 5000. You're notifying
the individuals affected, and you're also providing that notification to the entity designated by the secretary of VHS
number two. The security breach involves a database network, integrated database or other data system containing sensitive P ay of more than 500,000 individuals nationwide, so that's very specific. And it it's It's often misunderstood. So
regardless of the size
of how much data stolen,
if someone gets access to a database that has those more than 500,000 individuals. Law enforcement must be notified that someone has done that.
So Number three the security breached involves database is owned by the federal government. So I was actually one of the individuals backed by him. OPM had to notify into the federal government that, hey, I was hacked regardless of the size of the breach. So
again, it doesn't matter if it's one person
or if it's 5000 people. If the government on step database they have to notify the designated person appointed by the HSE
and the number four. The security breach involves primarily sensitive, personally identifiable information of individuals
known to the business entity to be employees and contractors of the federal government involved in national security or law enforcement.
So again, if you're containing
if your database contains P I of those individuals, you're required to notify the person designated by D. H. S of that breach