Why must state agencies submit their notices to the Office of Information Security for review and approval before they are released to affected individuals?

In order to be effective and helpful to individuals placed in jeopardy by a breach, the notice must contain the appropriate elements given the facts involved. For example, a notice that advises an individual to place a fraud alert on their credit files when only limited medical information, such as a treatment diagnosis were involved, and not their social security or driver’s license number will do little to help the individual mitigate their risk in this situation. The Office of Information Security (OIS) must review the notice to ensure, given the data elements involved, the circumstances of the loss or theft, and any number of other relevant factors that the notice serves to mitigate further risk and potential impact to both individuals and the state. Some of the potential impacts from an erroneously worded notice are:

1) recipient confusion about the steps they should take;

2) further recipient frustration and escalation from inaccurate or incomplete instructions; and,

3) a surge in follow-up inquiries for both the reporting agency and the OIS.