WellPoint took months to report a data breach. This is a point that regulators are enforcing more and more. Other enforcement actions related to delayed notifications suggest that nothing over 30 days will be tolerated. I think an exception would be law enforcement requested delays, but those do not happen very often.
30 days is not really 30 days. If you do not have contracts and processes in place with printing houses and credit monitoring agencies, you will have difficulty in meeting a 30 day deadline. It takes time to determine what happened and then to decide whether notification is required or should otherwise be undertaken. When you add on attempting to source and negotiate the vendors and contracts related to notification, your 30 days disappears quickly. You will also pay a lot more if you wait until a breach occurs
- Create a detailed incident response plan that incorporates internal processes and working with external parties to facilitate notification.
- Start gaming out scenarios you are likely to face and to begin discussions on where your risk tolerance is on the issue of notification. Many organizations voluntarily notify customers, particularly in commercial arrangements because transparency is valued. Where are your lines?
- Identify and enter into contracts with vendors who will support the notification process (e.g., print houses, credit monitoring agencies). There is one-stop shopping available as well. There are many offerings. Dive deep.
- Conduct regular drills that activates your incident management plan and working with vendors. Drills over the course of the year should include, a Friday at 4:30 p.m., a Monday after a long weekend, in the middle of the night, on a holiday. That’s how it happens in real life.
- Don’t panic. You need to slow down to hurry up.