Communication Regarding the Upcoming Release of an Updated “Data Breach Reporting Policy” for Red Clay Renovations

Written by: Travis Skyberg

Points of Contact: Eric Carpenter – CISO – Ownings Mills

Erica Knox – ISSO – Baltimore

Alison Knox-Smith – ISSO – Philadelphia

Travis Skyberg – ISSO – Ownings Mills

At Red Clay Renovations, we take everything from privacy to security very seriously. This means taking all necessary measures to protect the company, employees, and especially our valuable customers. As everyone is well aware, data breaches are an all too common occurrence and a continuous threat to any business big or small. In 2019, a data breach cost a U.S. company $8.19 million on average, which could easily force a mid-sized company such as Red Clay Renovations to go under (Brook, C., 2019). For this reason, our company must closely follow state and federal laws regarding data breaches and ensure compliance. Although we currently have what seems to be a sound plan in place for when any type of breach occurs, updated laws have forced the company to revisit its current policies and bring about updates to meet the requirements of the laws. This communication is being set forth to both prepare and make field office managers and employees aware of the new data breach reporting policy.

At the core of sound security and defense is are comprehensive policies which outline the rules, regulations, and strategies which will help to protect the company, employees, and customers. Even though we would all hope that through these fundamentals, incidents like data breaches will not happen, but the reality is that they do. Therefore, additional policies are necessary to ensure that any occurrence is reported immediately to the proper personnel so the urgent steps can be taken to notify company executives, the IT Department, law enforcement (if necessary). An immediate investigation is crucial to understand where or what system the breach occurred in, what information was taken, how did the breach happen, but most importantly, how sensitive was the information and who did it affect. This information is not only critical to trying to track down the offenders, but to deciding when and if notifications will be necessary to those who may have been affected.

For the Red Clay Renovations’ data breach reporting policy, much of it will remain unchanged and employees will continue to notify their immediate supervisors or managers when an incident occurs. They will then report it to the managing director for the location. The major change is the fact that the managing directors will need to ensure the information gets to the company Chief Information Security Manager (CISO) Eric Carpenter as soon as possible, which was not required previously. This is on top of ensuring that all the pertinent information regarding the incident is brought together to aid in the investigation. Even though under the current guidance, FIPS 199/200 standards and specified in NIST SP 800-53 Revision 4, field managers are the IT system owners, they will no longer be directly handling security incidents such as data breaches (King, V., 2018 pg. 8). As stated previously, this change has come about due to changes in state and federal laws/regulations which govern security incidents and data breaches.

When a data breach occurs, time is of the essence. Even though parts were already touched on previously in this communication, it is important for everyone to understand the data breach reporting process and the steps which take place. It cannot be understated how critical awareness is at the lowest levels and how once suspected, the breach must be reported immediately. This is very important as the first step in the process is verifying that a breach has definitely occurred (Swire, P. Kennedy-Mayo, D., 2018, pgs. 341-344). This is carried out not because the employee who reported the incident is not trusted, but because before manhours and finances are poured into an investigation and possible legal areas which come with a breach, it must be verified. Once this is completed, there must be an attempt to contain, retrieve, or shutdown the breach along with a comprehensive analysis as to how it occurred and what sensitive, proprietary, or personally identifiably information (PII) if any has been taken (Swire, P. Kennedy-Mayo, D., 2018, pgs. 341-344). This directly applies to the next step, which is notifying those affected by the breach, those who’s information has been stolen (Swire, P. Kennedy-Mayo, D., 2018, pgs. 341-344). It is crucial this happens as soon as possible as those affected my need to monitor their credit reports and be on the lookout for suspicious activity and depending on the state in which the breach occurred, there are time limits for reporting the breach to those affected. Finally, once it is understood how the breach occurred, steps can be put in place to prevent it from happening again. This could be updating security measures, additional employee training, etc. (Swire, P. Kennedy-Mayo, D., 2018, pgs. 341-344). Some of this information may seem like it is unnecessary for most, but it is imperative that the entire Red Clay Renovations’ family is on the same page to help ensure the future of the company.

I would like to thank you all for taking the time to thoroughly read this communication and hope you all understand what an important part of each and every process you all are. Mr. Carpenter and his team are working to update the current data breach reporting policy and as soon as it is complete, we will circulate the policy to everyone and ensure that the Information Systems Security Officers (ISSO) at each location are available to answer questions and address concerns. As part of this company, we all have a personal responsibility to make that data security is taken very seriously and that we all follow the steps in company policies such as the IT acceptable Use Policy and Digital Media Sanitization, Reuse, & Destruction policy to protect sensitive information. It will be important that as each policy is updated, implemented, and made available to everyone, that they are carefully read, and everyone has a clear understanding. Again, thank you for your time and patience as we work to update many of the information security within the company.

References

Brook, C. (2019). What’s the Cost of a Data Breach in 2019? Retrieved from https://digitalguardian.com/blog/whats-cost-data-breach-2019

King, V. J. (2018). Red Clay Renovations, Company Profile. Retrieved from https://learn.umuc.edu/d2l/le/content/443678/viewContent/17385621/View

Swire, P., Kennedy-Mayo, D. (2018). U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals. Portsmouth, NH. International Association of Privacy Professionals (IAPP).