About Us | Contact Us
View Cart

Incident Response Laws

By Dan Hadaway | Wednesday, October 8, 2014 - Leave a Comment

47 States have Customer Notification Laws


“Which laws do we need to comply with?”

Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

ServIcons_ITAudit_01

We’re often asked a question like:

“Does Indiana (or Ohio or Illinois or . . . ) have a law regarding data breach response and, in particular, are we to notify somebody at the state?”

Yes,  Indiana and 46 other states have such a law.

You can usually find the law for your state by Googling “<your state> data breach statute.”

However, for those governed by HIPAA GLBA SOX and all the other “bad-news laws,” in most of those states, if you already comply with a federal regulation that covers customer notification, you might be able to avoid the paperwork hoops that state law often requires you to jump through.  For example, a financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is not required to make a disclosure under the Indiana Code 24-4.9, which governs incident response for entities in Indiana.  Banks and credit unions:  We interpret this to mean that if your Incident Response Policy requires you to comply with the Interagency Guidance, then you do not have to comply with the Indiana Law. And that’s a good thing, because the Interagency Guidance is often more clear and flexible than the state laws.  (Note, these are our our opinions as Certified Information System Auditors and not attorneys or lawyers.)

When Should the Customer Notice be Provided?
The interpretive guidance states that a financial institution should provide a notice to its customers whenever it becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur.

Customer Notification (also called “Customer Notice.”)
The guidance is clear that notification to the customer must be given in a clear and conspicuous manner. The notice should include the following items:

  • Description of the incident;
  • Type of information subject to unauthorized access;
  • Measures taken by the institution to protect customers from further unauthorized access;
  • Telephone number customers can call for information and assistance; and
  • Remind customers to remain vigilant over next twelve to twenty four months, and report suspected identity theft incidents to the institution.

The guidance encourages financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

Delivery of Customer Notice

Customer notice should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. For example, the institution may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.

When do we really need to start considering this?

Your Incident Response Plan should articulate a triage process performed by the Information Security Officer (or whomever the task is assigned to.)   The plan should give the ISO authority to classify incidents into “notification incidents” versus “other incidents.”  (Many organizations have a gradation of “other” incidents.)  But the point is, if it is a notification incident, the ISO “pulls the fire alarm” and an Emergency Incident Response Team Meeting is called.

The classification should be based on what type of information was breached.  (Some organizations will include additional factors such as whether the recipient of the information is known and friendly or unknown or unfriendly.)

The guidance itself establishes that customers must be notified whenever “Sensitive Customer Information” is breached.  According to the guidance, ” sensitive customer information means a customer’s name,
address or telephone number in conjunction with the customer’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. It also includes any combination of components of customer information that would allow someone to log on to or access the customer’s account, such as user name and password or password and account number. ”

In a real incident, which law you should comply with will ultimately need to be approved by a lawyer.  This is why you should have legal counsel available for emergency incident response team meetings, and this is why you shouldn’t fret too much about it, other than to know the code applicable in your state (and in Indiana it’s Indiana Code 24-4.9), whether that code has exemptions for organizations complying with federal regulations, and then what the exact steps are to achieve the above articulated objectives of the customer notification phase of an incident response.


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    What are the top seven risks your board should know about in 2021? Since his first board presentation in 2000, when Dan presents audit reports to boards of directors, he also talks to the board about the top risks the institution is facing. Since 2006, Dan has been compiling a list of the “top seven […]
     A Timeline Update as of 02/22/21 An update to our Newest Employee’s FIRST Technical Article Another interim post-mortem review . . . . A Note About Updates: We have decided to leave the original article as it was originally posted and to update this post with any changes that have been made. You can see […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    A Webinar-Movie The 2020 annual webinar update on the subject will include a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent virtual conferences and regulator panels.
    The cybersecurity industry faces challenges, and some of them may involve your business… An article review. In a world where threats to your organization’s electronic assets are constantly emerging and evolving a cybersecurity insurance policy can help mitigate risk…but what kind of risk does the cybersecurity insurance industry face?  A new article in the Harvard […]
    A Timeline as of 01/24/2021 Our Newest Employee’s FIRST Technical Article Another interim post-mortem review . . . . A Note About Updates: We are leaving this article as is, but for any updates to the timeline, check the Autopsy of the SolarWinds Hack Timeline Update article!      – Vigilize Introduction: As the managing […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS FORUM AND CONFERENCE NEWS infotex is proud to announce that Dan Hadaway will be moderating a series of IT Forums for the Ohio Bankers League. “We are excited to continue fostering the relationship with the OBL to help educate and keep Risk Management at the forefront of […]
    Top 7 Trend Articles of 2021. . .  . . .For ISOs of Small Financial Institutions. Welcome to our annual T7 article:  a list of our favorite trend articles from the past year.  Our intent: help you organize your thoughts as your work through your strategic planning process.  We hope reviewing these articles will help you […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    A Webinar-Movie In our current world of uncertainty there is at least one thing that is certain. Business needs to continue, and that means that it is important for managers to be able to meet with their team even if everyone is working remotely at this point. In this Webinar-Movie, Dan will compare virtual meeting […]