Data Breach Notification Myths Busted

With the advent (and multiplication!) of privacy regulations around the world at both national and sub-national levels, it can be hard to know what your obligations and responsibilities are under these laws. These various frameworks are driven by governments, regulators, and other professional bodies and as a result there is little uniformity between the demands of the different schemes. Particularly when you consider the specific cybersecurity requirements that each regulation has in the event of a data breach, it can be hard to know how to be fully compliant.

In this article, we want to eliminate some of this confusion by summarizing the most relevant regulations in the EU, Canada, and the USA, clear up some common myths and misconceptions about breach notifications, and give IT managers an overview of how and when to properly disclose breaches. We also provide a free Data Breach Notification Kit to help you prepare for this possibility, and execute when you need to.

How We Got to Where We Are Today

Privacy fines and concerns about breach notification date back as early as 1996 with HIPAA (Health Insurance Portability and Accountability Act), when healthcare institutions wanted the ability to transfer health data. HIPAA established a set of regulations on how patient information needs to be protected as it moves between systems, as well as fines for failure to protect that data sufficiently.

As time went on, this type of regulatory system was set up for different data types (things like addresses, phone numbers, license plates, and credit card data, to name just a few) and these compliance regimes now extend from the national level down into individual provinces and states.

For the purposes of our discussion, we’ll be talking about some of the most relevant privacy regulations for business based in North America: (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: