Record-Keeping Practices Must Address Record-Losing Incidents

Published October 16, 2007 

 

One of the most overlooked record-keeping strategies is planning what to do in case of a data breach. The "it won't happen to us" attitude prevents employers from giving just as much thought to creating a data breach action plan as they do to making sure they adhere to federal and state record-keeping requirements. 

The simple fact of the matter is that a records breach can happen at any organization. Especially since more and more records are being retained electronically, which means scores of data can be breached if a single laptop is stolen or lost.

Earlier this year, the U.S. Government Accountability Office (GAO) published an 80-page report on the lessons learned about notifying individuals of a records breach based on the experiences of six federal agencies, including the 2006 theft of a Department of Veterans Affairs laptop that contained the names, addresses, and Social Security numbers of more than 26 million veterans. 

Timely notification of a records breach to affected individuals is essential so that they can take the appropriate steps to protect themselves from identity theft or other misuse of their personal information. While the GAO's findings apply specifically to federal agencies, the lessons can be adapted for your organization's breach-of-records action plan.

Lesson #1: Make rapid internal notification of a potential breach an expected behavior. Instruct all employees and managers to notify either their manager or a designated member of HR of a potential records breach as soon as possible.

Lesson #2: Pre-designate a core group of senior execs to make decisions regarding the organization's response. That way, the group can be convened at a moment's notice to evaluate the situation and guide the organization's response.

Lesson #3: Have mechanisms in place to obtain contact information for affected individuals. There must be a quick and reliable way to access employee or customer addresses or other contact information so affected individuals can be readily notified in the event of a breach.

Lesson #4: Know how to help affected individuals. Be prepared to invest time and resources into providing information or taking other actions to support affected individuals.

Lesson #5: Train for the worst, hope for the best. Instruct employees and managers on your company's privacy and security procedures, including incident response and reporting procedures. Prepare employees in advance as to their roles and responsibilities in responding to a records breach.

Also, train all personnel with access to sensitive data on how best to prevent the information from falling into the hands of an identity thief.

 

Related Topic(s): Record-Keeping Documents/Identity Theft