Unauthorized individuals have accessed nonpublic information, who do you notify? Whether it be documents discovered in dumpsters that should have been shredded, ransomware holding information hostage, or a tornado that blew files all over the county.
Definition of Information
Before we can determine appropriate action, we must first understand what exactly we are talking about. In this instance, we are talking about personally identifiable information (PII). The definition appears to be standard across all industries, whether it be financial industries, healthcare industries, or beyond. However, although information is considered publicly available information, once it is combined with consumer information for a service or product it then becomes nonpublic personal information.
U.S. Department of Homeland Security
The U.S. Department of Homeland Security released a factsheet that defines personally identifiable information (PII).
PII is any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to an individual. Some PII is not sensitive, such as that found on a business card. Other PII is Sensitive PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
That definition leaves room for some interpretation, and even some misinterpretation if we are not careful.
Gramm-Leach-Bliley Act (GLBA)
In 1999, Congress adopted the Gramm-Leach-Bliley Act (GLBA) to provide a framework for the financial services industry. When talking about nonpublic information, we often reference GLBA; however, it is actually only a small section of the act. Title V of the GLBA defines nonpublic information as follows;
Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).
I like to think about it this way, what information of mine do I not want to be disclosed? When classifying data, do you assess the legal implications for information being disclosed? What about the reputational implications if customer or consumer information is disclosed?
Considerations for your Incident Response Plan
Avoiding notification does not guarantee the preservation of reputation. Notification paired with action already taken or to be taken can be used in your favor. No notification and the public learning of the disclosure from another source will rarely work to your advantage.
Your Incident Response Plan needs to include metrics to help determine what action is necessary. To help with that, address the following questions within your plan:
- What types of information disclosure requires notification?
- Who is notified?
- Does your regulatory agency require notification? When in doubt, reach out to your regulatory agency. I know, I know! I hear the grumblings and eye rolls as I type this. Contrary to popular opinion, your examiners' sole purpose in their regulatory life is not to make you miserable, but rather to collaborate with you and help. Build that relationship with them.
- Does law enforcement require notification? It is a good practice to notify law enforcement (local, FBI, Secret Service, etc.). They may not be able to assist with your incident; however, it is possible they are working on a case that is linked to yours.
- Do service providers and/or insurance providers require notification? Some service agreements and insurance policies have very specific notification requirements identified. Make sure these are identified in your Incident Response Plan so you do not miss those in a time of crisis.
- Do customers require notification? In 2005, the FFIEC agencies jointly issued a guidance, Response Programs for Unauthorized Access to Customer Information and Customer Notice. In it, it clearly states if customer information has been accessed in an unauthorized manner, timely customer notification is required.
- Do consumers and/or the public require notification? What if rather than customers it was consumers affected? Individual notification may not be feasible. Assess the impact of notification, or lack thereof, to determine if notification is warranted. A consumer could be a potential customer, and the notification could be what sways them one way or the other.
As you are developing your notification procedures in your Incident Response Plan, keep in mind notification timing. For example, law enforcement may need to you hold off on notifying customers and/or the general public for investigative purposes. Your insurance policy may dictate they be notified prior to any other action taken. Make sure your plan outlines these, and are reviewed as part of your Incident Response testing.
In the End
According to the Identity Theft Resource Center, in July 2019 alone, 104,546,381 sensitive records were exposed due to varying types of breaches. This indicates information disclosure is inevitable, which means having a strong notification strategy is necessary.