Page 39 - Delaware Medical Journal - March/April 2020
P. 39
CASE REPORT MSDIS CORNER
communications, as well as timeframes and guidelines for disclosing a cyber incident to affected parties. Depending on the jurisdiction and industry, incident reporting may be required by law to regulators (such as attorneys general ��� ���������������� ���������� ���� ��� U.S. Department of Health and Human ��������� ����� ��� ����� ��������
other law enforcement authorities, and individuals affected by the breach.
On April 14, 2018, Delaware amended its data breach law, requiring any person who conducts business in Delaware
and who owns, licenses, or maintains personal information of Delaware residents, to notify Delaware residents their personal information has been subject to a data security breach. Notice must be provided without unreasonable delay, but not more than 60 days following discovery of the security
breach, unless the person suffering the breach determines, after an appropriate investigation, that the breach is unlikely to result in harm.
When a security breach affects more than 500 Delaware residents, the person must also provide notice to the Delaware Attorney General.
Delaware’s data security breach law requires two different types of notice. ��� ���� �� ������ �� �������� ��������� whose personal information has been subject to a security breach. The second is notice to the Delaware Attorney General when the security affects
more than 500 Delaware residents. The Consumer Protection Unit has forms available for both types of notice.
Persons required to provide notice of
a data security breach to the Delaware Attorney General should use the online ��� ���� �� ��� ������� ��� ���� available at attorneygeneral.delaware.gov/ fraud.
Incident communications must strike
the right balance between openness
and protection. Press releases, announcements, or disclosure statements should be coordinated with legal and communications teams and contain clear language for the intended audience.
PRACTICE CYBER-INCIDENT RESPONSE PLANNING
CIRPs tend to emphasize frequent testing of network recovery backup systems,
but there is often little practice with
the crisis management process of the response plan. It is equally critical to test both components, as either may cause a response to fail if it is not practiced and ingrained.
Organizations should routinely test
����������� ��� �������������
procedures to prepare individuals with incident response responsibilities for actual events. The test can be used to update incident handling and reporting procedures; validate emergency contact information of vendors, law enforcement, and stakeholders; and provide a forum
for new and emergent needs of the CIRP to be built and implemented. Experts recommend testing exercises at least once every 12 months, to help identify any operational gaps and hiccups in execution that need to be corrected or eliminated.
PRESELECTING INCIDENT RESPONDERS
A strong CIRP should contain a shortlist of incident responders who have been vetted and approved by the totality of
the organization and not just the IT department. The list should outline CIRP �������� ������� ������������ ������� expertise, and hourly rate. It may be vital to include whether a listed vendor offers a retainer, which guarantees quick and priority response during a crisis.
Ultimately, a strong CIRP should contain a list of trusted partners who understand the organization’s processes and systems and can respond immediately to a crisis situation on-time and on-budget and
in conjunction with any in-force cyber policy.
CONTRIBUTING AUTHOR
■ SHARON RUTH is a Senior Client Advocate who wastes no time when it comes to advocating for her clients and prospects. She coordinates all lines of Property and Casualty coverage for the Medical Society of Delaware Insurance Services, Inc. (MSDIS), specializing in Medical Malpractice. She will be happy to assist you with your insurance questions or concerns. Contact Sharon at 302-397-0173 or sharon. ruth@usi.com.
Del Med J | March/April 2020 | Vol. 92 | No. 2
87
