Your revision of the IRP to incorporate the GDPR-related issues took you the better part of the week (and the weekend) to prepare and submit. Your colleagues have reviewed and are, once again, thankful for the speed and thoroughness of your work.
Your hope is that you can ease into the next, uneventful, week. Unfortunately, as the saying goes, “bad news come in threes.” Shortly after your arrival in the face, you are ushered into a meeting with Jeff, Sandy, and Michonne. On the phone is the CEO of SSA, Chetanna, with more disturbing news: the hack was partly an inside job, facilitated by an employee ring located in Nairobi and working in collusion with the Chinese hackers.
“How could this happen?,” Michonne asks Chetanna. It’s bad enough that we were hacked, she says, but the fact that our employees facilitated it makes it much, much worse. And she asks the obvious, follow-up questions: What kind of employee verification procedures do we have in SSA, and (if any) were they followed in this case? What do the applicable laws say about any such company obligations? Everyone’s eyes turn slowly to you, and you recognize that look: It’s time to update the IRP again.
Assignment – Update your draft IRP to account for processes and procedures that should have been followed in light of the discovery that employees in Africa colluded with hackers from China. What employee verification and background checks would you recommend? How should the procedures be audited, internally and/or externally? What are your reporting obligations to the Kenya Office of the Data Protection Commissioner and any other relevant regulatory authorities?