About Us | Contact Us
View Cart

Incident Response Laws

By Dan Hadaway | Wednesday, October 8, 2014 - Leave a Comment

47 States have Customer Notification Laws


“Which laws do we need to comply with?”

Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

ServIcons_ITAudit_01

We’re often asked a question like:

“Does Indiana (or Ohio or Illinois or . . . ) have a law regarding data breach response and, in particular, are we to notify somebody at the state?”

Yes,  Indiana and 46 other states have such a law.

You can usually find the law for your state by Googling “<your state> data breach statute.”

However, for those governed by HIPAA GLBA SOX and all the other “bad-news laws,” in most of those states, if you already comply with a federal regulation that covers customer notification, you might be able to avoid the paperwork hoops that state law often requires you to jump through.  For example, a financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is not required to make a disclosure under the Indiana Code 24-4.9, which governs incident response for entities in Indiana.  Banks and credit unions:  We interpret this to mean that if your Incident Response Policy requires you to comply with the Interagency Guidance, then you do not have to comply with the Indiana Law. And that’s a good thing, because the Interagency Guidance is often more clear and flexible than the state laws.  (Note, these are our our opinions as Certified Information System Auditors and not attorneys or lawyers.)

When Should the Customer Notice be Provided?
The interpretive guidance states that a financial institution should provide a notice to its customers whenever it becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur.

Customer Notification (also called “Customer Notice.”)
The guidance is clear that notification to the customer must be given in a clear and conspicuous manner. The notice should include the following items:

  • Description of the incident;
  • Type of information subject to unauthorized access;
  • Measures taken by the institution to protect customers from further unauthorized access;
  • Telephone number customers can call for information and assistance; and
  • Remind customers to remain vigilant over next twelve to twenty four months, and report suspected identity theft incidents to the institution.

The guidance encourages financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

Delivery of Customer Notice

Customer notice should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. For example, the institution may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.

When do we really need to start considering this?

Your Incident Response Plan should articulate a triage process performed by the Information Security Officer (or whomever the task is assigned to.)   The plan should give the ISO authority to classify incidents into “notification incidents” versus “other incidents.”  (Many organizations have a gradation of “other” incidents.)  But the point is, if it is a notification incident, the ISO “pulls the fire alarm” and an Emergency Incident Response Team Meeting is called.

The classification should be based on what type of information was breached.  (Some organizations will include additional factors such as whether the recipient of the information is known and friendly or unknown or unfriendly.)

The guidance itself establishes that customers must be notified whenever “Sensitive Customer Information” is breached.  According to the guidance, ” sensitive customer information means a customer’s name,
address or telephone number in conjunction with the customer’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. It also includes any combination of components of customer information that would allow someone to log on to or access the customer’s account, such as user name and password or password and account number. ”

In a real incident, which law you should comply with will ultimately need to be approved by a lawyer.  This is why you should have legal counsel available for emergency incident response team meetings, and this is why you shouldn’t fret too much about it, other than to know the code applicable in your state (and in Indiana it’s Indiana Code 24-4.9), whether that code has exemptions for organizations complying with federal regulations, and then what the exact steps are to achieve the above articulated objectives of the customer notification phase of an incident response.


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]