Third-Party Notification Module

Entities in the finance, insurance, healthcare, and other highly regulated industries must comply with an increasingly complex maze of breach notification rules. Adding contractual notification obligations to the mix makes an already difficult task practically impossible to manage.

Organizations owning or processing regulated data can have hundreds if not thousands of clients, business associates, service providers, and other external entities with whom they do business. These business relationships mandate protection of regulated data and require notification to the data owners if there is an unauthorized disclosure of the data due to malicious or inadvertent incidents.

Until now, managing contractual notifications has been a manual, time-consuming process that requires sifting through contracts, and creates risk of noncompliance. Contractual notification obligations are often measured in hours or days rather than weeks or months, providing a major challenge to compliance. Noncompliance can result in serious consequences, including termination of relationships if obligations are not satisfied.

Regulatory jurisdictions are displayed alongside the contractual jurisdictions, allowing you to easily scan and prioritize your data breach response.

Introducing Contractual Obligation Workflow

With this patented feature, you can manage contractual notification obligations for both your upstream and downstream business relationships with clients, service providers, and business associates.

For managing upstream notification obligations to your clients, RadarFirst seamlessly extends its regulatory workflow to identify and provide guidance on all relevant incidents involving client data and contractual notification requirements.

For tracking downstream notification obligations from service providers or business associates that process your data, RadarFirst establishes a process for managing and gaining insights about which of your downstream entities pose high risk to your organization and how well they comply with their notification obligations.

You can take advantage of a fully integrated RadarFirst workflow to manage all regulatory and contractual incident response obligations, prove compliance, and mitigate risks stemming from incidents involving your own data or data that you process for your clients.

Third-Party Notification Module

• Efficiently manages your contractual notification
  obligations with clients or upstream entities (who you
  must notify)
• Effectively monitors compliance by your service providers or downstream entities (who must notify you)
• Uses the RadarFirst Breach Guidance Engine™ to assess the risk associated with an incident, and determine whether one or multiple clients must be notified
• Captures important contractual notification details for each external entity, including multiple notification timelines and contacts
• Provides easy tracking of notification due dates and proof of compliance with contractual obligations
• Allows for a nuanced configuration in which downstream entities act an agent of your organization, to more accurately specify the correct incident discovery date
• Tracks if your downstream entities remain compliant with contracts, so you may better identify which entities present a risk to your business

Managing PCI Incidents with the Contractual Obligations Workflow

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply to companies working with and associated with payment cards, including merchants, financial institutions, point-of-sale vendors, and hardware or software developers who create and operate the global infrastructure for processing payments.

If your organization’s PCI data is compromised in an incident, that incident must undergo a multi-factor risk assessment in order to determine if the incident qualifies as a data breach and requires notification to state and federal regulators.

In addition, your organization may be contractually obligated to notify multiple credit card issuers, merchants, and associations of this data breach. The Contractual Obligations Workflow can help meet these notification requirements for incidents involving PCI data.