Skip main navigation

Disclosure Responsibility

.

Post-breach activity doesn’t stop once the configuration vulnerabilities that were leveraged to perform the intrusion are remediated. An increasing amount of legislation and regulation dictates that organizations must inform certain stakeholders if a breach occurs. Not only must information systems be remediated, but appropriate notifications must be made. For example, in the United States the Health Insurance Portability and Accountability Act (HIPAA) requires that affected individuals, the US Department of Health & Human Services, and, in some cases, the media be notified if protected health information may be exposed through a breach. The European General Data Protection Regulation (GDPR) requires notification of both the supervisory authority, generally a member state government agency, and affected data subjects when there is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This notification must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” In many US jurisdictions, state data breach laws mandate that impacted parties must be notified if the information exposed could lead to fraud or identity theft.

An increasing part of the information security professional’s role isn’t simply to ensure those information systems are protected in the most technically competent manner possible, but to ensure that regulations around the protection of data and systems, as well as how an organization must respond to a breach must be followed. As mentioned earlier, internal organizational policies should specify which personnel are responsible for specific areas. This not only includes who is responsible for maintaining the security of specific systems and data, but who is responsible for crafting the notifications to external parties impacted by the intrusion.

Join the discussion

What are your organization’s disclosure responsibilities if a breach occurs where attackers gain unauthorized access to customer information? Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.
This article is from the free online

Microsoft Future Ready: Fundamentals of Enterprise Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education