Privacy: Lessons Learned about Data Breach Notification

Citation
Government Accountability Office, Privacy: Lessons Learned about Data Breach Notification (GAO-07-657) (Apr. 30, 2007) (full-text).

Overview
The GAO investigated a May 2006 data breach at the Department of Veterans Affairs (VA) and other similar incidents. The GAO identified the following lessons learned regarding how and when to notify government officials, affected individuals, and the public: (1) rapid internal notification of key government officials is critical; (2) because incidents vary, a core group of senior officials should be designated to make decisions regarding an agency's response; (3) mechanisms must be in place to obtain contact information for affected individuals; (4) determining when to offer credit monitoring to affected individuals requires risk-based management decisions; (5) interaction with the public requires careful coordination and can be resource-intensive; (6) internal training and awareness are critical to timely breach response, including notification; and (7) contractor responsibilities for data breaches should be clearly defined.