Blog / Mandatory Breach Reporting
You have to be looking for breaches to report them.
PIPA, PIPEDA and HIPAA are all sets of regulations that involve some form of mandatory breach reporting. There are rules surrounding how much time you have to report a breach to the government as well as to those affected by it. Of course, there are additional rules around breach reporting, but the basic premise is that when you’ve suffered a security breach of collected personal or health information, you need to let both the government and the people whose data was compromised know about it.
That’s fine and even makes sense, but there’s a trick here. To notify anyone about a breach of information, you first need to be looking for one. A lot of regulations didn’t make this fact clear, which is one of the reasons why the most recent updates to PIPA, PIPEDA and PCI-DSS make it very clear from the beginning that your first obligation is to identify and document where vital information is.
Those updates also clearly spell out everything organizations need to do for their data to be considered “protected” in the eyes of the regulations. As for why the recent changes to these regulations came out? My guess is someone (or someones) thought to be properly protecting their data were actually getting it very wrong.
Where is your important data?
It’s explicitly spelled out that you need to know where your important information is stored, including both physical and electronic copies. The reason is simple: if your organization doesn’t know where important data is being stored, how can it know where to target anti-malware scans and put up defenses. If you don’t know where your data is, it’s almost certainly not being protected.
Are the locations of important data documented?
This may seem obvious, but it’s not good enough that people “just know” where important data is. It needs to be officially known to the organization, which means it needs to be documented somewhere. Many organizations have a lot of knowledge locked away in the heads of its employees, but important information needs to be kept in a known secure location to be considered properly protected.
Have you performed a risk assessment on your information?
Not all data needs to be protected with the same degree of ferocity. It’s important to know the different kinds of data you store and what could go wrong if it got out. Data that could cause the most damage is data that needs the most protecting. It sounds obvious but to figure out what data that is, you need to look at what you have.
It’s important to understand what your responsibilities are when it comes to protecting information and mandatory breach reporting. Newer revisions of laws and regulations are getting more helpful in spelling things out, but you still need to keep in mind what isn’t. If there’s a requirement to do something, you need to do what it takes to make that happen (even if that’s not spelled out). Laws can’t possibly spell out every situation that they may apply to, but they often can and are applied to situations not explicitly covered by the legislation. The burden of responsibility is on you as the business to ensure you’re taking appropriate steps to protect data, not the legislation to spell out precise requirements for every situation. Protecting information properly is very important and if you don’t know what data you have, or where it is, you can’t actually protect it.
This weeks’ closing Shakespearean quote comes from Julius Caesar: “When beggars die, there are no comets seen; The heavens themselves blaze forth the death of princes.”
If you’d like to learn more about mandatory breach reporting and your obligations as an SMB, contact one of TRINUS’s security experts today.
Be kind, courtesy your friendly neighbourhood cyber-man.