It’s not a question of whether this will happen to your organization, but of when. Be ready to react.
As a first-line responder to a security breach, Amy McLaughlin learned valuable lessons from the experience.
When the words “teen bikini” popped up during a routine inspection of the Oregon Department of Revenue’s firewalls, the trail led to a misused PC infected with a keylogger. As a result, the infected PC exposed 2,200 taxpayer IDs and other personal records.
“The most painful part of the process was trying to identify what data was sent out under the keylogger,” says Amy McLaughlin, who at the time of the June 2006 incident was IT security officer for the state’s Department of Revenue (DOR). “It took several days of six people pulling data, trying to identify what data entry was typed at the time and what was sent out.”
McLaughlin, who is now IT infrastructure manager for the Oregon Division of Administrative Services, has learned from the experience. She and other first responders hope other agencies can learn these lessons before they, too, find themselves embroiled in a public breach disclosure.
“Realistically, in the world we live in, every organization is going to have some type of data security incident. So know beforehand what you’re going to do when that day comes,” says Sol Bermann, chief privacy officer for Ohio’s Office of Information Technology.
Notify IT Leaders
Last June, Bermann was part of an investigation into a stolen backup tape belonging to the state’s Office of Management and Budget that contained personally identifiable information on 770,000 employees, benefits recipients and taxpayers. At the onset, OMB network operators investigating the scope of the breach took too long reporting the problem to managers, which became the most costly mistake in the process.
“Internal reporting is the biggest problem agencies have with reporting from the start,” advises Joanne McNabb, chief of the California Office of Privacy Protection in Sacramento. “Don’t hold up reporting while you’re trying to figure out what type of data is lost. Notify your information security officer the moment you suspect any type of breach and make that the central point for reporting internally and up the chain.”
In the Ohio case, a 22-year-old, $10.50-an-hour intern lost the tape when it was stolen from his car. Knowing the tape had a good amount of confidential data backed up, the intern described it on the Hilliard Police report simply as “a device worth $15.” By failing to report the existence of privacy- protected data on the tape to law enforcement until days later, the critical first hours to search for the tape were lost because law enforcement didn’t realize its value, according to the state Inspector General’s report.
“If the device had been found quickly, it’s quite possible we would not have had to report it out,” says Bermann, adding that often thieves don’t know the value of the device and toss it into a dumpster nearby.
If litigation is a possibility, investigative evidence must be certifiably forensically sound, which means having on hand these resources ahead of time, advises McLaughlin. In the Oregon case, forensic skills were particularly critical, as there was concern of finding illegal images, given the illicit sites the user visited in violation of policy after disabling Web-filtering software.
Tap a team of responders — technical, legal, public relations, affected business units, executive offices, other state agencies and outside response agencies — to share and disseminate information.
To get started, borrow from your existing emergency response processes and contact lists, then conduct mock exercises on a regular basis, advises Dan Lohrmann, Michigan CISO, Office of Enterprise Security in Lansing, Mich.
Lohrmann’s office recently had a security scare. An offsite contractor lost — then later found dropped behind a rack — a backup tape, which forced his agency nearly to the point of going public with disclosure. The incident, he says, brought together representatives from legal, human resources, department directors, the attorney general, civil services and other operational silos.
“IT, communications and legal are all separate silos that, in the normal course of business, may not talk to each other. But they need to be prepared ahead of time that responding to a breach is an interdisciplinary endeavor [that requires they] very quickly work together,” Bermann advises.
Knowing when to publicly disclose the breach is another gray area organizations grapple with. You don’t want to disclose before you have all the information to determine what data was breached, but you must disclose quickly, experts say.
“You’re balancing the interest of giving people quick notice (so they can take protective action) against not wanting to frighten people unnecessarily,” California’s McNabb explains. “In the case of a law enforcement investigation, it might mean ordered delays in reporting.”
Once the hubbub of the initial disclosure dies down, agencies must analyze what went wrong with the security and response processes and implement repairs where needed.
For example, the Ohio CIO’s office went on a systemwide re-engineering of security and reporting practices, starting with the long-overlooked bad practice of having state employees and interns take their backups home every night.
After its incident, the Oregon DOR implemented a no-surfing policy, among other things. Now, employees can only access the Internet for personal use during lunch and breaks using a wireless network owned and operated by the cafeteria management company.
“It seems like everyone has to have their particular lesson before they encrypt their laptops,” McNabb surmises. “In that sense, law has been the great educator.”
The Cost of Noncompliance
Michigan law allows the state to fine employees who knowingly and maliciously fail to report a data breach to the data owner up to $250 per breached record.
By the Numbers
More than 62 state and local government organizations reported security breaches in 2007, according to data compiled by the Privacy Rights Clearinghouse.
Seven steps to Data Breach Response
- Report a suspected data breach to the CISO or other central point of command immediately.
- Contact local law enforcement and state police. Make it clear to them that private data has been breached so they know how to investigate.
- Determine whose records were breached and what data was exposed.
- Locate victims. In the case of employee data exposure, all data is in HR and department databases. Affected parties are more difficult to track down in the general public, so use of the media can be helpful.
- Notify victims:
a. Establish a Web site and call center for victims to report to and to get answers to their questions.
b. Use your investigative findings to script the call center answers. For example, if it’s likely the data was not used in any malicious way, include that in the message and explain why.
c. Offer one free year of credit-monitoring services to all affected parties.
d. Explain to them how to check and protect their credit and even how to better protect their own data on devices and during transactions.
- Review what went wrong.
- Use the lessons learned to improve data-protection policies and procedures all along the chain:
a. end user and IT staff education;
b. process improvements;
c. encryption policies, particularly on portable devices.