Guidelines For Handling Privacy Breaches

Similar documents
Guide for. Plan Sponsors. Roth 401(k) get retirement right

summary of cover CONTRACT WORKS INSURANCE

Review Procedures and Reporting by Peer Reviewer

The roll-out of the Jobcentre Plus Office network

Art & Private Client insurance policy SUMMARY OF COVER

CARERS UNEMPLOYMENT CLAIM FORM C

Motor legal expenses. Keep me safe

SEC Adopts. Amendments. To The Advisers Act Custody Rule SECURITIES LAW ALERT MARCH 2010

(Zip Code) OR. (State)

Internal Control Framework

Reach higher with all of US

Circuit and District Shield

Mine Closure Risk Assessment A living process during the operation

Companies COMPANIES BUILDING ON A SOLID FOUNDATION. 1 Intrust Manx

T4032-BC, Payroll Deductions Tables CPP, EI, and income tax deductions British Columbia Effective January 1, 2016

The Independent Police Complaints Commission

ApEx10. Overseeing on a day-to-day basis safeguarding and administering investments or holding of client money

Your Appeal Rights Under the Income Tax Act

1031 Tax-Deferred Exchanges

Terms & Conditions and Important Information Credit Cards

Helping you reduce your family s tax burden

T4032-MB, Payroll Deductions Tables CPP, EI, and income tax deductions Manitoba Effective January 1, 2016

T4032-ON, Payroll Deductions Tables CPP, EI, and income tax deductions Ontario Effective January 1, 2016

Structuring the Selling Employee/ Shareholder Transition Period Payments after a Closely Held Company Acquisition

CCH Personal Tax. Books & Print Online Software Fee Protection Consultancy Advice Lines 1

E-commerce. Electronic Commerce. Definition of E-Commerce. nuse of electronic systems to engage in commercial activities

Summary of Benefits RRD

Collections & Recoveries policy

Statement of compliance with the UK Corporate Governance Code

CAPITAL PROJECT SCREENING AND SELECTION

KEY INFORMATION DOCUMENT CFD s Generic

Osborne Books Update. Financial Statements of Limited Companies Tutorial

Annual Report to Parliament

REINSURANCE ALLOCATING RISK

Pension Annuity. Policy Conditions Document reference: PPAS1(6) This is an important document. Please keep it in a safe place.

TRADE ADJUSTMENT ASSISTANCE 2015 Annual Report

Home legal expenses. Keep me safe

Execution Risk Management at Wachovia Yousef Valine

Hong Kong Securities and Futures Commission (SFC) highlights operating, control and compliance deficiencies in asset management industry

PPI Investment Advice

summary of cover PROPERTY OWNERS INSURANCE Version 5

Information Services Group Public Sector

Terms & Conditions and Important Information Personal Loans

summary of cover PROPERTY OWNERS INSURANCE

The Time Value of Money in Financial Management

Three Lines of Defense to Enhance Technology Risk Management Maturity

Looking Ahead. Get Ready for NAF Open Enrollment November 4 29, News and Updates to Help You Prepare for Open Enrollment FSC

A Framework for evaluating the implementation of Private Finance Initiative projects: Volume 1

Laid-up vehicle insurance

Speak to the experts before you start any project involving basement construction, engineered foundations, underpinning or structural repairs

Supplementary Contribution Application Form

CAF 12 MONTH FIXED RATE SAVER Business, Charity and Trust Savings Terms and Conditions Effective from 25 May 2018

Build on Our Expertise. Grow your mortgage business with PNC Partnership Solutions, LLC

Annual Report to Parliament

FOUNDATION ACTED COURSE (FAC)

Your summary of cover. Saga Motorhome Insurance

Securely managed insurance solutions. Protected Cell, Incorporated Cell and Segregated Account facilities

Electronic Transactions Association Certified Payments Professional. Maintaining Your Credential

Car Insurance. Policy document. Keep me safe

Document of Insurance. Keep me safe. Car Insurance

US Dollar Bank Account

Broker Partnerships and Protocols

Summary of Benefits HAMPSHIRE COLLEGE

LegalSpotlight Protecting Your Interests: Taking and Enforcing Security in Ontario

Terms and conditions. Santander Sharedealing. A. General conditions TERMS AND CONDITIONS

Annual Report to Parliament

TERMS OF REFERENCE. Project: Reviewing the Capital Adequacy Regulation

Baan Common General Data

Summary of Benefits. Management Consulting & Research, LLC

Supplementary Contribution Application Form

UPDATE. Anti-Money Laundering

Calculation of the Annual Equivalent Rate (AER)

Page 1 of 11. Personal Loan Payment Protection Insurance Policy Document

Terms & Conditions and Important Information Credit Cards

Claims. At a glance. Claims Contact Information. Coordination of Benefits Health Reserve Account Claims Making Oxford MyPlan sm Work for You

Life Products Bulletin

Summary of Benefits THE SCRIPPS RESEARCH INSTITUTE

This article is part of a series providing

City of Santa Maria SHAPE YOUR CAREER WHILE SHAPING YOUR COMMUNITY.

Summary of Benefits WESTERN MISSOURI MEDICAL CENTER

Document of Insurance. Keep me safe. Car Insurance

Innovations and Emerging Practices in Local Government 2016 Survey Summary Report of Results

Specialist Vehicle Insurance

Accelerated Access Solution. Chronic Illness Living Benefit (California Only) Access your death benefits while living.

Landlords Legal Expenses and Rent Guarantee Insurance. arranged by Arthur J Gallagher

Decision-making and Scrutiny

Car Insurance. Policy document. Keep me safe

Driver s. 1st Gear: Determine your asset allocation strategy.

Your guide to Protection Trusts

Statistics for Economics & Business

TENS Unit Prior Authorization Process

SIPP. Application guide

Document of Insurance. Keep me safe. Motorbike Insurance

Indice Comit 30 Ground Rules. Intesa Sanpaolo Research Department December 2017

MOTOR TRADE INSURANCE

Luxury car tax how to complete your activity statement

Motor Legal Protection policy

Setting up records for customers and suppliers

Accelerated Access Solution. Chronic Illness Protection Rider. Access your death benefits while living.

Highlights of 3 rd Generation SPP Rules 2017

Transcription:

Prime Miister s Office Data Protectio Office Volume 4 Guidelies For Hadlig Privacy Breaches

Guidelies For HadliG Privacy BreacHes Volume 4 Mrs Drudeisha MADHUB, Data Protectio Commissioer Cotact Details Tel No.: 201 3604 E-mail: pmo-dpo@mail.gov.mu Website: http://dataprotectio.gov.mu

part i Valuable StepS for orgaisatios to circumvet ad cure privacy breaches objective The objective of this documet is to provide guidace to private ad public sector orgaisatios, both small ad large, o how to deal with privacy breaches. Orgaisatios should take prevetative steps prior to a breach occurrig by implemetig reasoable policies ad procedural safeguards ad coductig ecessary traiig. This documet will help orgaisatios take the appropriate steps i the evet of a privacy breach ad provide guidace i assessig whether otificatio of the privacy breach to affected idividuals is required. However, ot all of the recommeded steps may be ecessary ad some steps may also be combied. What is a privacy breach? A privacy breach occurs whe there is uauthorised access to, alteratio of, accidetal loss, destructio of, or disclosure of persoal iformatio i cotravetio of the Data Protectio Act. Some of the most commo privacy breaches happe whe persoal iformatio of customers, patiets, cliets or employees is stole, lost or mistakely disclosed (e.g., a computer cotaiig persoal iformatio is stole or persoal iformatio is mistakely emailed to the wrog people). A privacy breach may also be a cosequece of faulty busiess procedure or operatioal break-dow. four recommedatios to defeat a privacy breach:- There are four key steps to cosider whe respodig to a breach or suspected breach: (1) breach cotaimet ad prelimiary assessmet; (2) evaluatio of the risks associated with the breach; (3) otificatio; ad (4) prevetio. Make sure that you carry out each step cautiously before you ivestigate the potetial breach. You should udertake steps 1, 2 ad 3 either 3

simultaeously or i quick successio. Step 4 provides recommedatios for loger-term solutios ad prevetio strategies. The decisio o how to respod should be made o a case-to-case basis. Associated with this guidelie is a checklist that orgaisatios ca use to help esure they have made the appropriate cosideratios i dealig with a possible privacy breach. Step 1: breach cotaimet ad prelimiary assessmet Take immediate commosesical steps to limit the breach, for example, stop the uauthorised practice, recover the records, shut dow the system that was breached, revoke or chage computer access codes or correct weakesses i physical or techical security. Desigate a appropriate idividual to lead the iitial ivestigatio. This idividual should have the appropriate authority ad expertise withi the orgaisatio to coduct the iitial ivestigatio ad make iitial recommedatios. If ecessary, a more detailed ivestigatio may the subsequetly be effected. Determie whether there is the eed to assemble a team which could iclude represetatives from appropriate sectios of the orgaisatio. Determie who eeds to be made aware of the icidet iterally, ad potetially exterally, at this prelimiary stage. Escalate iterally as appropriate, icludig iformig the perso withi your orgaisatio resposible for privacy compliace. If the breach appears to ivolve theft or other crimial activity, otify the police. Do ot compromise the ability to ivestigate the breach. Be careful ot to destroy evidece that may be valuable i determiig the cause or allow you to take appropriate corrective actio. 4

Step 2: evaluate the risks associated with the breach To determie what other steps are immediately ecessary, you should assess the risks associated with the breach. Cosider the followig factors i assessig the risks: (i) persoal iformatio ivolved What data elemets have bee breached? How sesitive is the iformatio? Geerally, the more sesitive the iformatio, the higher the risk of harm to idividuals. Some persoal iformatio is more sesitive tha others (e.g., health iformatio, govermet-issued pieces of idetificatio such as social security umbers, driver s licece ad health care umbers, ad fiacial accout umbers such as credit or debit card umbers that could be used i combiatio for idetity theft). A combiatio of persoal iformatio is typically more sesitive tha a sigle piece of persoal iformatio. However, sesitivity aloe is ot the oly criteria i assessig the risk, as foreseeable harm to the idividual is also importat. What is the cotext of the persoal iformatio ivolved? For example, a list of customers o a ewspaper carrier s route may ot be sesitive. However, the same iformatio about customers who have requested service iterruptio while o vacatio may be more sesitive. Similarly, publicly available iformatio such as that foud i a public telephoe directory may be less sesitive. Is the persoal iformatio adequately ecrypted, aoymised or otherwise ot easily accessible? How ca the persoal iformatio be used? Ca the iformatio be used for fraudulet or otherwise harmful purposes? The combiatio of certai types of sesitive persoal iformatio alog with ame, address ad date of birth may suggest a higher risk due to the possibility of idetity theft. A assessmet of the type of persoal iformatio ivolved will help you determie how to respod to the breach, who should be iformed, icludig the Data Protectio Commissioer, ad what form of otificatio to the 5

idividuals affected, if ay, is appropriate. For example, if a laptop cotaiig adequately ecrypted iformatio is stole, subsequetly recovered ad ivestigatios show that the iformatio was ot tampered with, otificatio to idividuals may ot be ecessary. (ii) (iii) (iv) cause ad extet of the breach To the extet possible, determie the cause of the breach. Is there a risk of ogoig breaches or further exposure of the iformatio? What was the extet of the uauthorised access to or collectio, use or disclosure of persoal iformatio, icludig the umber ad ature of likely recipiets ad the risk of further access, use or disclosure, icludig via mass media or olie? Was the iformatio lost or was it stole? If it was stole, ca it be determied whether the iformatio was the target of the theft or ot? Has the persoal iformatio bee recovered? What steps have already bee take to mitigate the harm? Is this a systemic problem or a isolated icidet? idividuals affected by the breach How may idividuals persoal iformatio is affected by the breach? Who is affected by the breach: employees, cotractors, public, cliets, service providers, other orgaisatios? foreseeable harm from the breach I assessig the possibility of foreseeable harm from the breach, have you cosidered the reasoable expectatios of the idividuals? For example, may people would cosider a list of magazie subscribers to a iche publicatio to be potetially more harmful tha a list of subscribers to a atioal ewspaper. Who is the recipiet of the iformatio? Is there ay relatioship betwee the uauthorised recipiets ad the data subject? For example, was the disclosure made to a ukow party or to a party suspected of beig ivolved i 6

crimial activity where there is a potetial risk of misuse? Or was the recipiet a trusted, kow etity or perso that would reasoably be expected to retur the iformatio without disclosig or usig it? What harm to the idividuals could result from the breach? Examples iclude: security risk (e.g., physical safety); idetity theft; fiacial loss; loss of busiess or employmet opportuities; or humiliatio, damage to reputatio or relatioships. What harm to the orgaisatio could result from the breach? Examples iclude: loss of trust i the orgaizatio; loss of assets; fiacial exposure; or legal proceedigs. What harm could come to the public as a result of otificatio of the breach? Harm that could result icludes: risk to public health; or risk to public safety. Step 3: otificatio Notificatio ca be a importat mitigatio strategy that has the potetial to beefit both the orgaisatio ad the idividuals affected by a breach. If a privacy breach creates a risk of harm to the idividual, those affected should be otified. Prompt otificatio to idividuals i these cases ca help them mitigate the damage by takig steps to protect themselves. The challege is to determie whe otices should be required. Each icidet eeds to be cosidered o a case-to-case basis to determie whether privacy breach otificatio is required. Orgaisatios are also ecouraged to iform the Data Protectio Commissioer of material privacy breaches so that we are made aware of the breach. The key cosideratio i decidig whether to otify affected idividuals should be whether otificatio is ecessary i order to avoid or mitigate harm 7

to a idividual whose persoal iformatio has bee iappropriately accessed, collected, used or disclosed. Orgaisatios should also take ito accout the ability of the idividual to take specific steps to mitigate ay such harm. (i) (ii) otifyig affected idividuals Orgaisatios should cosider the followig factors whe decidig whether to otify: What are the legal ad cotractual obligatios? What is the risk of harm to the idividual? Is there a reasoable risk of idetity theft or fraud (usually because of the type of iformatio lost, such as a idividual s ame ad address together with govermet-issued idetificatio umbers or date of birth)? Is there a risk of physical harm (if the loss puts a idividual at risk of physical harm, stalkig or harassmet)? Is there a risk of humiliatio or damage to the idividual s reputatio (e.g., whe the iformatio lost icludes metal health, medical or discipliary records)? What is the ability of the idividual to avoid or mitigate possible harm? Whe to otify, how to otify ad Who Should otify At this stage, you should have as complete a set of facts as possible ad have completed your risk assessmet i order to determie whether to otify idividuals. Whe to otify: Notificatio of idividuals affected by the breach should occur as soo as reasoably possible followig assessmet ad evaluatio of the breach. However, if law eforcemet authorities are ivolved, check with those authorities whether otificatio should be delayed to esure that the ivestigatio is ot compromised. How to otify: The preferred method of otificatio is direct by phoe, letter, email or i perso to affected idividuals. Idirect otificatio website iformatio, posted otices, media should 8

geerally oly occur where direct otificatio could cause further harm, is prohibitive i cost or the cotact iformatio for affected idividuals is ot kow. Usig multiple methods of otificatio i certai cases may be appropriate. You should also cosider whether the method of otificatio might icrease the risk of harm (e.g., by alertig the perso who stole the laptop of the value of the iformatio o the computer). Who should otify: Typically, the orgaisatio that has a direct relatioship with the customer, cliet or employee should otify the affected idividuals, icludig whe the breach occurs at a third party service provider that has bee cotracted to maitai or process the persoal iformatio. However, there may be circumstaces where otificatio by a third party is more appropriate. For example, i the evet of a breach by a retail merchat of credit card iformatio, the credit card issuer may be ivolved i providig the otice sice the merchat may ot have the ecessary cotact iformatio. (iii) What should be icluded i the otificatio? The cotet of otificatios will vary depedig o the particular breach ad the method of otificatio chose. Notificatios should iclude, as appropriate: Iformatio about the icidet ad its timig i geeral terms; A descriptio of the persoal iformatio ivolved i the breach; A geeral accout of what the orgaisatio has doe to cotrol or reduce the harm; what the orgaisatio will do to assist idividuals ad what steps the idividual ca take to avoid or reduce the risk of harm or to further protect themselves. Possible actios iclude arragig for credit moitorig or other fraud prevetio tools, providig iformatio o how to chage a social security umber, persoal health card or driver s licece umber. Sources of iformatio desiged to assist idividuals i protectig agaist idetity theft (e.g., olie guidace o the Data Protectio Office Website (http://dataprotectio.gov.mu); 9

Providig cotact iformatio of a departmet or idividual withi your orgaisatio who ca aswer questios or provide further iformatio; If applicable, idicate whether the orgaisatio has otified the Data Protectio Office ad that they are aware of the situatio; Additioal cotact iformatio for the idividual to address ay privacy cocers to the orgaizatio; ad The cotact iformatio for the Data Protectio Commissioer. Be careful ot to iclude uecessary persoal iformatio i the otice to avoid possible further uauthorised disclosure. (iv) cotact Data Protectio Commissioer: Orgaisatios are ecouraged to report material privacy breaches to the Data Protectio Commissioer as this will help them respod to iquiries made by the public ad ay complaits they may receive. The Data Protectio Office may also be able to provide advice or guidace to your orgaisatio that may be helpful i respodig to the breach. Notifyig the office may ehace the public s uderstadig of the icidet ad cofidece i your orgaisatio. The followig factors should be cosidered i decidig whether to report a breach to the Data Protectio Commissioer: whether the persoal iformatio is subject to the Data Protectio Act; the type of the persoal iformatio, icludig: whether the disclosed iformatio could be used to commit idetity theft; whether there is a reasoable chace of harm from the disclosure, icludig o-moetary losses; the umber of people affected by the breach; whether the idividuals affected have bee otified; ad if there is a reasoable expectatio that Data Protectio Office may receive complaits or iquiries about the breach. 10

Regardless of what you determie your obligatios to be with respect to otifyig idividuals, you should cosider whether the followig authorities or orgaisatios should also be iformed of the breach, as log as such otificatios would be i compliace with the Data Protectio Act: Police: if theft or other crime is suspected. Isurers or others: if required by cotractual obligatios. Professioal or other regulatory bodies: if professioal or regulatory stadards require otificatio of these bodies. Credit card compaies, fiacial istitutios or credit reportig agecies: if their assistace is ecessary for cotactig idividuals or assistig with mitigatig harm. Other iteral or exteral parties ot already otified: third party cotractors or other parties who may be impacted; iteral busiess uits ot previously advised of the privacy breach, e.g., govermet relatios, commuicatios ad media relatios, seior maagemet, etc.; or uio or other employee bargaiig uits. Orgaisatios should cosider the potetial impact that the breach ad otificatio to idividuals may have o third parties ad take actios accordigly. For example, third parties may be affected if idividuals cacel their credit cards or if fiacial istitutios issue ew cards. Step 4: prevetio of future breaches Oce the immediate steps are take to mitigate the risks associated with the breach, orgaisatios eed to take the time to ivestigate the cause of the breach ad cosider whether to develop a prevetio pla. Orgaisatios should also idetify ad aalyse the evets that led to the privacy breach, evaluate what was doe to cotai it ad recommed remedial actio to help prevet future breaches. 11

The level of effort should reflect the sigificace of the breach ad whether it was a systemic breach or a isolated istace. This pla may iclude the followig: a security audit of both physical ad techical security; a review of policies ad procedures ad ay chages to reflect the lessos leared from the ivestigatio ad regularly after that (e.g., security policies, record retetio ad collectio policies, etc.); Coduct Privacy Impact Assessmets (PIAs) ad Threat ad Risk Assessmets (TRAs) where ecessary; a review of employee traiig practices; ad a review of service delivery parters (e.g., dealers, retailers, etc.). The resultig pla may iclude a requiremet for a audit at the ed of the process to esure that the prevetio pla has bee fully implemeted. 12

part ii privacy breach checklist icidet descriptio What was the date of the icidet? Whe was the icidet discovered? How was it discovered? What was the locatio of the icidet? What was the cause of the icidet? Step 1: breach cotaimet ad prelimiary assessmet Have you cotaied the breach (recovery of iformatio, computer system shut dow, locks chaged)? Have you desigated a appropriate idividual to lead the iitial ivestigatio? Is there a eed to assemble a breach respose team? If so, who should be icluded (e.g., privacy officer, security officer, commuicatios, risk maagemet, legal)? Have you determied who eeds to be made aware of the icidet iterally ad potetially exterally at this prelimiary stage? Does the breach appear to ivolve theft or other crimial activity? If yes, has the police bee otified? Have you made sure that evidece that may be ecessary to ivestigate the breach has ot bee destroyed? 13

Step 2: evaluate the risks associated with the breach (i) (ii) (iii) (iv) What persoal iformatio was ivolved? What persoal iformatio was ivolved (ame, address, social security umber, fiacial, medical)? What form was it i (e.g., paper records, electroic database)? What physical or techical security measures were i place at the time of the icidet (locks, alarm systems, ecryptio, passwords, etc.)? What was the cause ad extet of the breach? Is there a risk of ogoig breaches or further exposure of the iformatio? Ca the persoal iformatio be used for fraudulet or other purposes? Was the iformatio lost or was it stole? If it was stole, ca it be determied whether the iformatio was the target of the theft or ot? Has the persoal iformatio bee recovered? Is this a systemic problem or a isolated icidet? how may idividuals have bee affected by the breach ad who are they (e.g., employees, cotractors, public, cliets, service providers, other orgaisatios)? is there ay foreseeable harm from the breach? What harm to the idividuals could result from the breach(e.g., security risk, idetity theft, fiacial loss, loss of busiess or employmet opportuities, physical harm, humiliatio, damage to reputatio, etc.)? Do you kow who has received the iformatio ad what is the risk of further access, use or disclosure? What harm to the orgaisatio could result from the breach (e.g., loss of trust, loss of assets, fiacial exposure, legal proceedigs, etc.) What harm could come to the public as a result of otificatio of the breach (e.g., risk to public health or risk to public safety)? 14

Step 3: otificatio (i) (ii) (v) Should affected idividuals be otified? What are the reasoable expectatios of the idividuals cocered? What is the risk of harm to the idividual? Is there a reasoable risk of idetity theft or fraud? Is there a risk of physical harm? Is there a risk of humiliatio or damage to the idividual s reputatio? What is the ability of the idividual to avoid or mitigate possible harm? What are the legal ad cotractual obligatios of the orgaisatio? If you decide that affected idividuals do ot eed to be otified, ote your reasos. if affected idividuals are to be otified, whe ad, how will they be otified ad who will otify them? What form of otificatio will you use (e.g., by phoe, letter, email or i perso, website, media, etc.)? Who will otify the affected idividuals? Do you eed to ivolve aother party? If law eforcemet authorities are ivolved, does otificatio eed to be delayed to esure that the ivestigatio is ot compromised? What should be icluded i the otificatio? Depedig o the circumstaces, otificatios could iclude some of the followig, but be careful to limit the amout of persoal iformatio disclosed i the otificatio to what is ecessary; iformatio about the icidet ad its timig i geeral terms; a descriptio of the persoal iformatio ivolved i the breach; a geeral accout of what your orgaisatio has doe to cotrol or reduce the harm; what your orgaisatio will do to assist idividuals ad steps idividuals ca take to reduce the risk of harm or further protect themselves; 15

cotact iformatio of a departmet or idividual withi your orgaisatio who ca aswer questios or provide further iformatio; whether your orgaisatio has otified the Data Protectio Office; ad cotact iformatio for the Data Protectio Office. (vi) are there others who should be iformed about the breach? Should the Data Protectio Office be iformed? Should the police or ay other parties be iformed? This may iclude isurers; professioal or other regulatory bodies; credit card compaies, fiacial istitutios or credit reportig agecies; other iteral or exteral parties such as third party cotractors, iteral busiess uits ot previously advised of the privacy breach, uio or other employee bargaiig uits. Step 4: prevetio of future breaches What short or log-term steps do you eed to take to correct the situatio (e.g., staff traiig, policy review or developmet, audit)? 16

Desiged ad Prited by the Govermet Pritig Departmet - March 2010

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback