Authors: Denise Mauzy, Bruce Bull, and Haidee Bernstein, DaSy
I just learned about two different data breaches! I know my state needs to strengthen our data breach polices and hold privacy trainings!
The first incident was in a small rural jurisdiction. They released a data report highlighting the great progress their children have made. Although initially heartwarmed, I quickly realized that because they have so few children, I could easily identify several of the children and their families by cross referencing the data in some of the reports. Although well meaning, this is a serious data breach.
The second incident occurred through social media. A preschool teacher was working with a child on a new skill and took a picture on her phone and sent it to his parents. She did not pay attention to the two other children in the background; plus, she used her personal phone. Mom and dad were really proud of their child’s achievement and posted the picture online that night. The preschool director received a phone call from an unhappy parent who saw her child in background in the video. Although this teacher’s intentions were good, this is a privacy breach.
Neither of these instances of breach were intentional, but that does not change the fact that they are breaches. I need strategies to prevent these occurrences from happening in the future.
— Harriett B., Coordinator
Have you seen Harriett’s scenarios in your state? Have you developed adequate policies to guide data sharing and electronic communication? We are in an age of rapidly changing technology and access to increasing amounts of data. Policies and training on data security and the release of personally identifiable information are critical, as is having a response policy in case it does happen.
Both of Harriett’s data breach scenarios were inadvertent, but other breaches are deliberately orchestrated by hackers. Whether intentional or unwitting, data breaches have the potential to negatively affect families and staff, especially for those who are sensitive about having any personal information revealed. Even with comprehensive prevention strategies in place, no system is completely immune to breaches so preparation for them is crucial. A data breach response policy establishes a set of procedures to be followed in the event of a data breach:
- How and when the breach should be reported to authorities
- How and when to inform the public—specifically those at risk because of the data breach
- Recommendations to the public to reduce the post-breach risk
- Sanctions the agency might consider if warranted
- Strategies to minimize the future risk of a breach
It is important to develop strong data release and communications policies, provide training for staff members, and review the policies periodically to keep them current in this fast-paced age of communication.
The DaSy Data Governance Toolkit can be useful, with its policy considerations and templates for electronic communications policies and data security and access policies. Additionally, the Data Breach Response section includes resources to support the development of a comprehesnive data breach policy so that if you do find yourself in a situation similar to Harriet’s, you will have guidance on how to respond.