Skip Navigation

GAO Reports on Lessons from Breach Notification

Bookmark and Share

Ever wondered why data breaches seem more prevalent in the last two or three years? Well, it started with the ChoicePoint incident and that only was reported because California has passed a Notification Requirement just prior, legally binding any company to disclose such a breach. It is the same law that required Los Angeles County to disclose that they casually discarded thousands of personal paper records last year. All the news about such data breaches since is because of similar Notification Requirements being adopted elsewhere. We can only assume that such breaches were happening long before there were Notification Requirements.

Notification Requirements are, therefore, a big hammer in forcing companies to have proper information protection programs.

The GAO has released a report on the lessons learned from the use of Notification Events. Some recommendations are:

  • Because incidents vary, a core group of senior officials should be designated to make decisions regarding an agency’s response.
  • Mechanisms must be in place to obtain contact information for affected individuals.
  • Interaction with the public requires careful coordination and can be resource-intensive.
  • Internal training and awareness are critical to timely breach response, including notification.
  • Third party contractor responsibilities for data breaches should be clearly defined.

The report will most certainly be used by Congressional policy makers struggling with expanding the Notification Requirement. NAID is especially supportive of the recommendation that the contractor’s responsibility be clearly defined, and will use this in its continuing push to require all businesses to have a contract with any company selected to provide secure information destruction services.

Click here to access the entire report.