I've been hacked, now what? - Sentek Global

Guidelines and General Recommendations for California Businesses ... can implement policies, procedures and plans (Best Practices) to mitigate potentially ... In addition: a username or email address, in combination with a password.
346KB Sizes 7 Downloads 70 Views
I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses

I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses

No matter how well your business is prepared, there is always a risk of being hacked or experiencing unintentional information disclosure. While you can’t eliminate all risk, a business can implement policies, procedures and plans (Best Practices) to mitigate potentially disruptive security events. In this whitepaper, we’ll briefly list what to do if your company has been hacked in California (CA). Listed are recommendations made by the California Office of Privacy Protection (c.2012), which include updated definitions of California’s Amended Data Breach Law, CA Civ. Code § 1798.82, effective 1/1/2014. California has four definitions that define at-risk data -- Unencrypted, computerized information, specifically:  First name or initial and last name, plus any of the following:  Social Security number.  Driver’s license number or California Identification Card number.  Financial account number, in combination with any required code or password permitting access to an individual’s financial account. Once you have determined your data has been compromised, follow these “Best Practices” guidelines, part of an overall, pre-defined Information Security Plan, as suggested by the California State Attorney General and the California Office of Privacy Protection. Notification: 1. Take necessary steps to contain and control the affected systems. Contact Corporate Legal. 2. Conduct a preliminary investigation and assessment of the breach. 3. If the breach affects over 500 people’s personal information, notify Corporate Legal, who should then notify the CA State Attorney General at: http://oag.ca.gov/ecrime/databreach/reporting. 4. Implement Notification Plan if compromised information contains personal data. 5. Notify law enforcement of suspected illegal activities. 6. Notify affected individuals within 10 days of the event, unless law enforcement directs otherwise. 7. Include notification to individuals whose info is also on paper-records or computer print data. 8. If individuals cannot be ID’d, notify the groups likely to be affected by the breach. 9. Document the ID process, who gets notified and make efforts to find individual addresses. 10. Contact credit reporting agencies using a pre-defined Incident Plan to alert them of breach. 11. If the breach involves consumer information, arrange quality credit-monitoring service for those affected.

Sentek Global

www.sentekglobal.com

619-543-9550

I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses The following standard definitions of “Personal Information” and “Breach of Security” (based on the definition commonly used by most state & federal governments) are defined below for ease of reference, and any CA variations from the common definition are listed in the chart. Medical information is included so as not to detract from the CA statute. Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number; (ii) driver’s license number or stateissued ID card number; (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. Personal Information shall not include information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of personal information.

CA statute in which definition of “Personal Information” is broader than the Federal general definition General Breach Notification Statute as applies to a business: “Personal Information” of California residents. In additi