There's also a GSW blog: I've just posted the following item to the GSW blog and there are contributions from supporters of GSW.
Does your organization have a policy on promptly informing those affected by privacy incidents and, where necessary, disclosing breaches to the proper authorities? If not, a privacy incident at John Hopkins Hospital might make you think again:
"A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft. The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen."
Another suggestion is to make sure your organization's contingency plans cover privacy and security incidents, giving management a blueprint to help them deal with a crisis in the most efficient and professional manner possible under the circumstances.