Most security managers are aware of some form of the five steps for handling an incident: Prevent, detect, contain, eradicate, and recover. These steps are usually sufficient for those incidents in which personally identifiable information (PII) or electronic protected health information (ePHI) isn't compromised. However, a breach of individual identity information brings with it an additional set of tasks.
In addition to breach notification simply being the right thing to do, more than 30 U.S. states now have laws governing the actions of businesses that experience a compromise of PII or ePHI. A list of these states, and a short description of notification requirements, can be found at the Crowell Moring Web site. In addition, Congress is working on a number of bills that will make breach notification mandatory nationwide.
The regulatory actions of the federal and state governments are in response to the growing number of identities potentially compromised during the past several years. According to Privacy Rights Clearing House, there have been more than 155 million records containing identity information reported as compromised since January 2005. Again, these are just the reported instances.
Regardless of which state or states in which you do business, the Consumers Union and the Federal Trade Commission recommend taking specific steps to protect both your business and the victims when a possible identity breach occurs. The following is an aggregate list of those recommendations:
- Before going public, consult with the appropriate law enforcement agency to ensure that release of information won't interfere with the related investigation.
- Designate one person in your organization as the information contact for external entities. All information should go through him or her before being released to the public.
- A strong Notice of Breach should be sent to all affected individuals. The FTC provides a model letter as a starting point. Although many state laws include conditions for mandatory notification, consider sending out notifications whenever any PII or ePHI breach occurs. The notice of breach should include:
- A clear description about what you know about the compromise. Within limits imposed by law enforcement, include who, what, when, where, how, and why.
- Include current information about identity theft and steps victims can take to protect themselves. A good resource for this is located at the FTC Web site.
- Provide information on how to contact the law enforcement agency working on the case.
- Inform victims about the value of implementing a "security freeze" to lock credit files against anyone trying to use stolen identity information to obtain credit. (According to the Consumers Union, 36 states have enacted security freeze laws.)
- Seriously consider being proactive by providing credit review and notification services at no cost to the victims. In some areas, this may be mandatory.
Above all else, be open, honest, and measured in your reporting. In other words, tell victims the truth — but only after you understand what the truth is. Changing the story on a breach tends to bring an organization's credibility into question.
Finally, don't wait until a breach happens to put together a response plan. Design and document breach response processes, and train relevant employees on their use. A quick, decisive response to a breach can help mitigate potential negative affects on a company's public image.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.