In the event that a privacy breach occurs, every organization should have guidelines for how to respond. Such guidelines should clearly set out a process for employees to follow, including delineation of specific roles and guidance on how to contain the breach as much as possible.
-
Contain the Breach
- Stop unauthorized practices
- Attempt to recover lost information
- Shut down the electronic system that was breached
- Revoke or change computer access codes
- Correct weaknesses in physical or electronic security
- Remove any person from the workplace who was responsible for an intentional breach
-
Evaluate the Risks
- Designate a person or team to be responsible for leading the investigation
- Consider what personal information was involved, and the sensitivity of that information
-
Evaluate the potential that the information could be misused and the types of potential harm
- Identity theft
- Security risks
- Humiliation or damage to reputation
-
Consider the cause and extent of the breach
- Systemic problem vs isolated incident
-
Determine how many persons have been affected by the breach, and who is affected by the breach
- Employees
- Customers
- Members of the public
-
Consider the potential harm to your organization
- Risks to reputation
- Exposure to legal proceedings by persons whose information was compromised
- Fines or other regulatory penalties
-
Notification
- Statutory requirements
-
Potential voluntary notification
- Law enforcement (e.g., if breach was caused by illegal activity)
- Affected individuals (e.g., if you believe they could be at risk of identity fraud or other dangers)
- Relevant privacy commissioner (e.g., so they can respond to inquiries or complaints that are directed to them about the incident)
- Other relevant parties (e.g., insurers, professional or regulatory bodies, credit card companies, financial institutions or credit reporting agencies, employees’ union)
-
Prevention of Future Incidents
- Develop procedures or implement controls to correct systemic issues
- Additional security measures
- Improvements to privacy policies
- Improvements to training program
The above list is not intended to be comprehensive. Breach response protocols should be specifically tailored to the unique requirements of your business. You should consult with a privacy law expert to assist with the development of your breach response protocols.