In September 2015, Department of Homeland Security chief privacy officer asked the Data Privacy and Integrity Advisory Committee to provide written guidance on best practices for notifying individuals impacted by a large-scale data breach. The DHS outlined four questions for the committee to consider, this document focuses on these four questions:
- In the context of large-scale data breaches, what criteria should the Privacy Office consider to inform DHS’s decision of whether and when to notify the impacted individuals?
- Once DHS has decided to notify impacted individuals, what are best practices with respect to the source, content and delivery mechanism (e.g., mail, e-mail) for the notification?
- Is it possible to “over notify” by saturating affected individuals with information or bulletins?
- In addition to delivering the actual notification, are there best practices supporting a notification process (e.g., establishing a call center) that should he considered?
Read Now (PDF 328KB)