Lack of a Privacy Incident Response program may result in improper identification and handling of privacy events.
The organization:
a. Develops and implements a Privacy Incident Response Plan; and
b. Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.
A written, documented privacy incident response plan is in place.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization develops and implements a Privacy Incident Response Plan; and
(ii) the organization provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.