Respond

Question 1

4 respond principles

Answer 1

1. information requests
2. legal compliance
3. incident response planning (IRP)
4. incident handling

Question 2

requests: 2 layers response

Answer 2

leverage privacy governance structure:

• first level/tier responders for common questions
• privacy team and CPO for second level

Question 3

Negligence elements (when fail to notify DS of breach)

Answer 3

1. Duty of care of org to DS = duty to have system to detect unauthorised access (but system designed to protect network)
2. Failure to meet standard of care of RPP
3. Proximate cause (generally multiple causes)

Question 4

IRP responders

Answer 4

1. IS - forensic investigation, delete embedded malware, correct vulnerabilities
2. Legal - help limit liability from breach; advise on response to notification requirements (who, how, when)
3. HR - information conduit to employees after breach
4. Marketing - positive consistent message during crisis; hi volume e-mail for notification
5. Business development - relationship of trust with customers; notify key accounts
6. communications and PR - media relations and coordination of internal/external messages
7. union leadership - communication/coordination with union members
8. Finance - calculate cost of breach responsibility and allocate necessary funds; arrange cyber insurance coverage
9. President/CEO - held personally accountable; may publicly comment
10. Customer care - may use these employees in breach response

Question 5

Privacy incident (breach) definition

Answer 5

any potential, actual compromise of PI in form that facilitates intentional or unintentional access by unauthorised third party

Question 6

escalation

Answer 6

internal process of employees alerting supervisors about incident, who report to pre-defined list of experts

Question 7

IRP

Answer 7

1. pre-notification process: to determine whether incident constitutes reportable breach
2. isolate compromised system containing damage, preserve electronic evidence, chain of custody (legal and IT)
3. consult legal to determine whether need to notify
4. Elements of IRP
   - contact stakeholders
   - timetable
   - progress reporting
   - response evaluation and modifications

Question 8

US fed govt (OMB) guidance re breach notification requirement

Answer 8

Cautions against notification when breach poses little or no risk of harm. To assess risk of harm, consider:

• nature of data elements breached
• no. of individuals affected
• likelihood that information is accessible and usable
• likelihood that breach may lead to harm
• organization’s ability to mitigate risk