Security

Establish a strategy for security breach notification

Even if your organization takes every possible precaution to protect its data, a security breach is often inevitable. What do you do if it happens? Here are some pointers for notifying those affected.

When it comes to security breaches, it's important to remember that old adage about quality vs. quantity. Data breaches aren't just about a hacker breaking into a network and stealing information. In fact, they come in all shapes and sizes:

  • A data breach can occur with a lost or stolen laptop that has someone's social security number.
  • A data breach can occur with a lost BlackBerry that has personal information about employees or customers.
  • A data breach can occur with a fax that includes financial information that's thrown away instead of shredded.

In other words, a data breach can happen anytime an unauthorized individual has access to sensitive or private information. It's important to remember that a variety of factors can lead to this exposure.

Regardless of size, every network will experience some form of data breach at some point. And users are becoming increasingly more savvy about identity theft and sensitive to the long-term damage it can cause to their finances.

So when the inevitable data breach happens, what do you do? Establishing notification procedures in advance will help you better deal with the problem when it occurs. Planning now will help mitigate the damage from a customer/employee relationship standpoint later -- and it's the right thing to do.

When a data breach occurs, you obviously need to notify those affected. You definitely do not want to tell people that someone accessed their personal information in an e-mail. Users could easily mistake such an e-mail as a phishing attempt and delete it without reading it.

While this is the electronic age, there's a better method for delivering the bad news -- snail mail. The postal service will ensure delivery to the person -- and usually even if they've moved to another address.

Deciding how to notify people is the easy part -- deciding what should go in that notification can be a lot more tricky. First of all, describe what happened.

Don't give out information that could compromise the investigation, but do tell people in nontechnical terms how it happened as well as what information the breach exposed or lost. Tell them what your organization is doing to remedy the situation, and make sure you include contact information.

If identify theft is a possibility, explain how they can try to protect themselves. Tell people how to contact the credit reporting agencies to put a fraud alert on their accounts.

In addition, the Identity Theft Resource Center is an excellent source of information. Include a link to the Web site in your correspondence, and encourage people to take active steps to protect their financial information.

If law enforcement is involved in the case, provide the contact information for the officer working the case, as well as the case report number. This is information people may need to repair credit or obtain a job if they become a victim due to the breach.

Finally, if the breach is wide enough, contact the credit reporting agencies first to determine whether identify theft is taking place as a result of the breach. If you uncover evidence of identify theft, offer some form of credit monitoring service in the notification. This could mitigate the damage done to both the individual and your company.

Final thoughts

While your organization should take every security precaution to protect its data, a security breach is often inevitable. Too much information stored in too many places provides too much temptation.

Losing control of someone's personal, privacy, or financial information can put your company at risk in many ways. How you handle the loss after the fact will speak volumes to your employees and customers (both current and future). Developing some simple procedures before a loss occurs and implementing them when it happens can go a long way to mitigating the damage.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

8 comments
sarah.kahler
sarah.kahler

Companies often do not have a firm understanding of the business criticality of their assets based on the data those assets house, which makes it difficult to protect. By maintaining a centralized view of assets and determining how those assets support business processes and/or product and services, a company can better prioritize the protection of its business. This would allow them to quickly identify when sensitive data has been breached, who should be notified and what areas of the business will be most impacted. Also, by consolidating risk and compliance information for assets, it is then possible to understand, control and manage the activities and risk factors that impact them.

lastchip
lastchip

Or IDENTITY theft? (para's. 12 & 15) ;-)

kale99
kale99

This is good stuff. However, desimination of information should be strongly tied to the incident management response process. The steps in the process would assist in monitoring the situation

Photogenic Memory
Photogenic Memory

Sorry for the confusion. When something bad happens and you document the scope of how effected people, customers, workers involved in it's solution or cause in a type of tracking case system; is this what you meant?

No User
No User

Most of the security effort is on the back door especially with all the new regulations everyone is getting slammed with. While folks are transfixed on the back door the front door is open and the welcome mat is out. People walk out the door with confidential information everyday. As mentioned Notebook and Blackberry also other Handhelds and plain old paper. The easy way to detect that you had a breach is when the Notebook, Handheld or paper is missing and presumed to be stolen. That would be an obvious scenario but what happens when somebody simply copies the data and doesn't steal the device? It's standard for a notebook to have a CD burner built in so pop in a CD/R burn the data and nobody even suspects there would be no reason to. The only way you could tell would be after incurring a significant amount of damage and perhaps seeing a pattern that you would simply assume that you had a breach. Wait until that happens on a large scale say 6-12 months after you find that someone copied data. Yikes!!!

nospam
nospam

As you are developing breach notification procedures you may want to consider the following: 1. Business leaders need to be part of the working group to develop and execute breach notifications. 2. Add legal council and your communications group to the working group as well. 3. Many states have notification window requirements. For example, a company has to notify the breached within X number of days. 4. Some states require that its AG office be contacted. In regards to contacting credit monitoring services to determine if identity theft has taken place to for possible credit monitoring services- this may be a good ?litmus test? from an early detection perspective, but should not be used to predict future malicious activity against the breached. Finally, offering credit monitoring services to the breached does not mean that they will activate it. Breach notification is not solely an information security activity. Information security can drive the process or procedures, but the other business components need to execute the procedures.

dspeacock
dspeacock

All of the suggestions are good, but don't forget a good public relations person/campaign. How many companies have their stock take a major hit as a result of a data breach? How many small businesses NEVER recover from the loss of customer confidence in them after a breach. Safeguard your information like it is the Crown Jewels, but if it gets out, be up front on how it happened, but more importantly, what you're doing to prevent a repeat, and what you're doing for your customers whose information might have been compromised. Where I currently work, there is a clause written into contracts with vendors etc. that if they are at fault for a data compromise, THEY are responsible for providing credit monitoring for those affected clients. A potential monetary hit like that makes them sit up and take notice when we present them with the results of our security audits of their operations.

dlmeyer
dlmeyer

While all to many security breaches are 'personal', rather than corporate, and while a great many security breaches are the result of "social exploits" - like fishing a FAX out of the trash - the most information is gathered from intrusions in the corporate space and involve insecure systems somewhere along the line. Certainly, take your own security responsibilities seriously, but hold your corporate partners' feet to the fire. Should you discover that your information has been compromised because, in part, a security patch was not applied in a timely fashion, go after them. Sue the company and name the CIO and maybe a subordinate or two in the suit. DLMeyer - the Voice of [url=http:// glhorton.podomatic.com]G.L.Horton's Stage Page[/url]