What data breach notification policy should enterprises follow?
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best practices.
In the wake of the OPM breach, people are questioning how data breach notifications are sent to affected parties. Some experts have criticized the federal government for sending email notifications about the OPM breach, saying that such emails could leave recipients open to phishing scams. Others argue email is the quickest and most effective way to notify people. With so many data breach notification laws instituted, what are the best ways to alert affected parties?
Data breach notification policy is a tricky topic. Organizations that have suffered from data breaches must balance the speed of their notification efforts, the cost of different options and the risk that recipients will trust a breach notice. This often comes down to a decision between sending an email and using traditional paper mail. Data breach notification laws vary by state but typically allow the use of either approach.
If an organization chooses a data breach notification policy that goes with the electronic notification route, it should follow a few best practices to bolster readers' confidence in the validity of the notice. First and foremost, it should never solicit any personal information from the users through the breach notice. That's a huge red flag that might set off phishing alarms in the minds of well-trained users.
Second, the notice should come through well-known, official channels. Use the same formatting and signatures typically used on company correspondence. Whenever possible, the message should come from someone the recipients know and trust. This is probably the biggest issue in the case of the OPM breach, where the notification came from the Office of Personnel Management. It would probably have been more effective for each government agency to send notices to its own staff through the department head's internal email account. While most federal employees probably don't know anyone in OPM, they do know the head of their own agency.
Finally, the notice should include methods for offline contact. Readers should be provided a telephone number that they can call for more information. Better yet, in the case of an employer, invite readers to contact their HR representative or supervisor for verification. That way they know the contact is legitimate.
Crafting an effective data breach notification policy is tough. When organizations follow a few best practices, they can increase its effectiveness and reduce the likelihood that users will find the notification message suspicious.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)