Post-breach activity doesn’t stop once the configuration vulnerabilities that were leveraged to perform the intrusion are remediated. An increasing amount of legislation and regulation dictates that organizations must inform certain stakeholders if a breach occurs. Not only must information systems be remediated, but appropriate notifications must be made. For example, in the United States the Health Insurance Portability and Accountability Act (HIPAA) requires that affected individuals, the US Department of Health & Human Services, and, in some cases, the media be notified if protected health information may be exposed through a breach. The European General Data Protection Regulation (GDPR) requires notification of both the supervisory authority, generally a member state government agency, and affected data subjects when there is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This notification must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” In many US jurisdictions, state data breach laws mandate that impacted parties must be notified if the information exposed could lead to fraud or identity theft.

An increasing part of the information security professional’s role isn’t simply to ensure those information systems are protected in the most technically competent manner possible, but to ensure that regulations around the protection of data and systems, as well as how an organization must respond to a breach must be followed. As mentioned earlier, internal organizational policies should specify which personnel are responsible for specific areas. This not only includes who is responsible for maintaining the security of specific systems and data, but who is responsible for crafting the notifications to external parties impacted by the intrusion.

Join the discussion

What are your organization’s disclosure responsibilities if a breach occurs where attackers gain unauthorized access to customer information? Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.