How would you tackle an incident where data was sent to multiple unintended distribution lists externally and no response comes back to confirm that data was deleted?
Thanks
Distribution list data breach
Share
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
How would you tackle an incident where data was sent to multiple unintended distribution lists externally and no response comes back to confirm that data was deleted?
Thanks
Smurf333
Firstly, I would look at following any internal SOP you have for dealing with incidents. Secondly, you should consider assessing the incident, either using an internally agreed process, or looking at the regulator’s web site (ICO in the UK) to determine if it is reportable. If you don’t have an internal SOP, once again look at the regulator’s site for guidance and follow that. In the event that you have not received responses, a chaser would be the first option, and you should also re-assess the risk. Thereafter, if you have not done so already you need to consider the interests of the data subjects impacted by the incident and warn them of the potential impact and corrective action that you as an organisation will take and also the action they need to consider to mitigate any damages. Hope that helps.
LucyR
Try again, but ultimately it’s out of your control. If you document the incident as a breach and what you have reasonably done to mitigate it, that covers the ‘accountability’ angle.