Tabletop Exercise - September 2016

Scenario:

You receive news that one of your employees has accidently disclosed sensitive personally identifiable information (PII) records for over 200 clients and personnel.  This occurred when they accidentally emailed a document that had not been properly scrubbed to a contractor.  The employee had been recently trained on the handling of PII by your privacy and/or security staff.

Items to discuss:

  • How does your organization handle this disclosure of PII?
  • Who do you contact regarding the disclosure?
  • Who would be responsible for taking the lead?
  • What policies or practices do you have in place to address the data loss?
  • What should management do?  Who else in the organization should be involved?
  • Do you reprimand the employee?
  • What, if anything, do you tell your constituents who were NOT impacted?

Items to report:

  • Did communications flow as expected? If not, why?
  • Were processes and procedures followed?
  • Were there any surprises?
  • How well did the exercise work for your organization?