Incorporating crisis communications
The notion that serious security incidents can be kept secret has long passed. High-profile security incidents, such as those that impacted Target and TJX, have been made very public. Adding to this lack of secrecy are the new breach notification laws that impact organizations across the globe. The General Data Protection Regulation (GDPR) Article 33 has a 72-hour breach notification requirement.
Other regulatory or compliance frameworks, such as the Health Insurance Portability and Accountability Act (HIPAA) Rule 45 CFR, § § 164.400-414, stipulate that notifications are to be made in the event of a data breach. Compounding legal and regulatory communication pressures need to be communicated to internal business units and external stakeholders. While it may seem that crafting and deploying a communications plan during an incident is a waste of resources, it has become a necessity in today’s legal and regulatory environment. When...
