Communication plan for after a breech in your electronic record management network

by on July 8, 2009 · 0 Comment POSTED IN: HR Info Center

Business partners need to be informed as well with a security breech in your electronic record management system

If you are a vendor that maintains data for other parties, you may well have a provision in your contract with them that requires you to provide notice to them immediately over the suspected breach in an electronic record management system. On a related point, if you have vendors that maintain your data, you want to make sure that you have provisions in your contract requiring them to notify you immediately if there is any suspension of a breach.

Notice responsibility for security breaches in electronic record management systems
The way to breach notification laws work is that if a vendor learned of a breach, its only obligation is to inform the owner of the data. It’s the data owner’s responsibility to go out and inform all of the affected individuals. So, in other words, even if the breach occurs while the data is in your vendor’s hands, you’re still the one that has to deliver the bad news.

This emphasizes that the importance of having good data security provisions in your electronic record management contracts with your vendors. So, you know what they are obligated to do to protect your data.

Consider having an indemnification provision because providing breach notification could be expensive. And you may want to at least shift part of that burden to the vendor particularly if the breach occurs on the vendors’ watch so to speak.

Vendor due diligence in electronic record management security breaches
Be careful in selecting your vendors. Make sure that you’re using somebody you can rely on so you won’t end up in a situation where you have to inform your customers that your vendor had a breach of their data. Due diligence is the most important precaution there.

A corporate communication plan is essential with worst-case scenario planning in electronic record management.

For instance, your customer service employees would need to have script so, if they get calls from concerned customers or other individuals, they know how to answer those questions. You also should make sure the employees are informed of what’s going on. Even though you want to have the employees refer any questions if you’re sort of the designated spokesperson, they need have an understanding of what’s happened as well. In part to make sure that misinformation isn’t going around. And the employees know what they should be doing in the event that they go get questions or that they have concerns themselves.

It’s common, by the way, but not required to provide free credit reports to individuals who are affected by a breach. And that seems to be an increasingly common part in getting your response team ready and thinking about who has authority to do what.

Think about who need to sign off, so to speak, on granting or offering credit monitoring services. Because it does provide an additional expense that it’s something that you might want to consider and again, you would need to know upfront who has the authority to make that call in a very short period of time.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.