Tabletop Exercise - September 2016


You receive news that one of your employees has accidently disclosed sensitive personally identifiable information (PII) records for over 200 clients and personnel.  This occurred when they accidentally emailed a document that had not been properly scrubbed to a contractor.  The employee had been recently trained on the handling of PII by your privacy and/or security staff.

Items to discuss:

  • How does your organization handle this disclosure of PII?
  • Who do you contact regarding the disclosure?
  • Who would be responsible for taking the lead?
  • What policies or practices do you have in place to address the data loss?
  • What should management do?  Who else in the organization should be involved?
  • Do you reprimand the employee?
  • What, if anything, do you tell your constituents who were NOT impacted?

Items to report:

  • Did communications flow as expected? If not, why?
  • Were processes and procedures followed?
  • Were there any surprises?
  • How well did the exercise work for your organization?