About Us | Contact Us
View Cart

Incident Response Laws

By Dan Hadaway | Wednesday, October 8, 2014 - Leave a Comment

47 States have Customer Notification Laws


“Which laws do we need to comply with?”

Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

ServIcons_ITAudit_01

We’re often asked a question like:

“Does Indiana (or Ohio or Illinois or . . . ) have a law regarding data breach response and, in particular, are we to notify somebody at the state?”

Yes,  Indiana and 46 other states have such a law.

You can usually find the law for your state by Googling “<your state> data breach statute.”

However, for those governed by HIPAA GLBA SOX and all the other “bad-news laws,” in most of those states, if you already comply with a federal regulation that covers customer notification, you might be able to avoid the paperwork hoops that state law often requires you to jump through.  For example, a financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is not required to make a disclosure under the Indiana Code 24-4.9, which governs incident response for entities in Indiana.  Banks and credit unions:  We interpret this to mean that if your Incident Response Policy requires you to comply with the Interagency Guidance, then you do not have to comply with the Indiana Law. And that’s a good thing, because the Interagency Guidance is often more clear and flexible than the state laws.  (Note, these are our our opinions as Certified Information System Auditors and not attorneys or lawyers.)

When Should the Customer Notice be Provided?
The interpretive guidance states that a financial institution should provide a notice to its customers whenever it becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur.

Customer Notification (also called “Customer Notice.”)
The guidance is clear that notification to the customer must be given in a clear and conspicuous manner. The notice should include the following items:

  • Description of the incident;
  • Type of information subject to unauthorized access;
  • Measures taken by the institution to protect customers from further unauthorized access;
  • Telephone number customers can call for information and assistance; and
  • Remind customers to remain vigilant over next twelve to twenty four months, and report suspected identity theft incidents to the institution.

The guidance encourages financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

Delivery of Customer Notice

Customer notice should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. For example, the institution may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.

When do we really need to start considering this?

Your Incident Response Plan should articulate a triage process performed by the Information Security Officer (or whomever the task is assigned to.)   The plan should give the ISO authority to classify incidents into “notification incidents” versus “other incidents.”  (Many organizations have a gradation of “other” incidents.)  But the point is, if it is a notification incident, the ISO “pulls the fire alarm” and an Emergency Incident Response Team Meeting is called.

The classification should be based on what type of information was breached.  (Some organizations will include additional factors such as whether the recipient of the information is known and friendly or unknown or unfriendly.)

The guidance itself establishes that customers must be notified whenever “Sensitive Customer Information” is breached.  According to the guidance, ” sensitive customer information means a customer’s name,
address or telephone number in conjunction with the customer’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. It also includes any combination of components of customer information that would allow someone to log on to or access the customer’s account, such as user name and password or password and account number. ”

In a real incident, which law you should comply with will ultimately need to be approved by a lawyer.  This is why you should have legal counsel available for emergency incident response team meetings, and this is why you shouldn’t fret too much about it, other than to know the code applicable in your state (and in Indiana it’s Indiana Code 24-4.9), whether that code has exemptions for organizations complying with federal regulations, and then what the exact steps are to achieve the above articulated objectives of the customer notification phase of an incident response.


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]