Ronald I. Raether, Jr.
Ronald I. Raether, Jr. is a partner at Faruki Ireland & Cox P.L.L. in Dayton, Ohio.
The emergence of Breach Notification statutes in 46 states places a clear responsibility on data stewards to understand the posture of PII in their custody. But with a range of statutory definitions and approaches, and still no "harmonizing" federal framework, questions quickly arise concerning the existence of a breach, and the remedial steps required in response.
It is Friday afternoon. You are looking forward to a relaxing weekend, spending time with your friends, and finally getting around to that list of activities that you have not had time for lately. Just a few more emails, and it is off to dinner at your favorite restaurant. At least that was the plan until just a few minutes ago, before Tom walked into your office.
Tom is from Human Resources, and he is reporting that an employee’s bag was stolen from his gym locker. A company thumb drive was in the bag. Tom is coming to see you because the employee may have stored protected personal information on the thumb drive. You were recently named as the initial contact for potential data breaches in the company’s incident response plan. To watch a video acting out this scenario, go to www.xtranormal.com/
watch/11907723 (last visited June 30, 2011). So what should be the next step?
I have written before on developing an incident response plan and what should be included in the plan.1 The basic concepts have not changed over the last few years. However, a few central questions have been developing, which still remain somewhat unclear today. How do you know if there has been a data breach that requires notice? Who should be notified?