lolloj - Fotolia
In the wake of the OPM breach, people are questioning how data breach notifications are sent to affected parties. Some experts have criticized the federal government for sending email notifications about the OPM breach, saying that such emails could leave recipients open to phishing scams. Others argue email is the quickest and most effective way to notify people. With so many data breach notification laws instituted, what are the best ways to alert affected parties?
Data breach notification policy is a tricky topic. Organizations that have suffered from data breaches must balance the speed of their notification efforts, the cost of different options and the risk that recipients will trust a breach notice. This often comes down to a decision between sending an email and using traditional paper mail. Data breach notification laws vary by state but typically allow the use of either approach.
If an organization chooses a data breach notification policy that goes with the electronic notification route, it should follow a few best practices to bolster readers' confidence in the validity of the notice. First and foremost, it should never solicit any personal information from the users through the breach notice. That's a huge red flag that might set off phishing alarms in the minds of well-trained users.
Second, the notice should come through well-known, official channels. Use the same formatting and signatures typically used on company correspondence. Whenever possible, the message should come from someone the recipients know and trust. This is probably the biggest issue in the case of the OPM breach, where the notification came from the Office of Personnel Management. It would probably have been more effective for each government agency to send notices to its own staff through the department head's internal email account. While most federal employees probably don't know anyone in OPM, they do know the head of their own agency.
Finally, the notice should include methods for offline contact. Readers should be provided a telephone number that they can call for more information. Better yet, in the case of an employer, invite readers to contact their HR representative or supervisor for verification. That way they know the contact is legitimate.
Crafting an effective data breach notification policy is tough. When organizations follow a few best practices, they can increase its effectiveness and reduce the likelihood that users will find the notification message suspicious.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out if state data breach notification laws have helped
Check out this overview of cloud data breach notification legal obligations
Learn how to adapt to EU data breach notification requirements
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.