- Blog post
Four critical questions to ask after a security breach in your electronic records management system
Electronic records management security covers both before and after the event
In the event you think there has been a security breach in your electronic records management system, pre-planning like this might give you some ideas of what to do if you have a breach situation.
- Why you’re gathering all of this information about the states and the types of data
The reason for the data inventory is to figure out whether you should inform local law enforcement. Law enforcement actually takes a fairly active role in data security depending on where you’re located. And in fact, we’ve seen the Secret Service and the FBI get involved in investigating these cases.
For instance we had a company that had a Secret Service agent show up on its doorstep and say, “Hey, we want to take a look at the computer with this IP address, because some fraudulent credit card purchases have been made from that computer.” When they looked at the computer, they discovered that the credit card number used to make fraudulent purchases came from customer data. The employee was not a criminal mastermind and they actually placed the fraudulent orders from the work computer and had the packages sent to her home address. It was interesting because it was not a large dollar amount involved, however, Federal agents were interested enough to get involved. So, basically if you think that there might be a crime involved in the data breach of your electronic records management system – if somebody stole data or an employee has stolen a laptop with confidential data-definitely consider informing law enforcement.
- When is it ok not to inform customers after a breach of your electronic records management system?
This is not a step you take in all cases. For instance, if somebody just lost their Blackberry or lost their laptop, you may not need to do that. But it is something to consider. If local law enforcement or federal law enforcement asked you to delay providing notice, you can delay providing notice under the breach laws. In other words, if they’re investigating and your notice might compromise their investigation, they can tell you to wait. And you would comply with that instruction.
- Who else requires a notice with electronic records management systems breaches?
Additionally, beyond just providing notice to the affected individual, many states require notices to the regulatory agencies. So, for instance, New York requires notice to state government agency, New Jersey, North Carolina, New Hampshire, Maine, Hawaii, Louisiana and other states require notice of the consumer reporting agencies.
- What type of notice is required after a breach of the electronic records management system
Approximately 16 states allow it notice by telephone as opposed to written notice. That will give you the choice of which to provide. We find that in many cases, companies liked to provide telephone notice at least to some customers in some breaches as a way to provide more personal touch. So, you consider how you want to provide the notice.
You also again, need to determine who gets the notice. You have to report in the credit reporting agencies. You have to notify your regulatory agency.
Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.