[ISN] Establish a strategy for security breach notification

From: InfoSec News (alerts@private)
Date: Wed Dec 20 2006 - 22:33:28 PST


http://www.zdnet.com.au/insight/security/soa/Establish_a_strategy_for_security_breach_notification/0,139023764,339272771,00.htm

By Michael Mullins CCNA, MCP
21 December 2006

Even if your organisation takes every possible precaution to protect its 
data, a security breach is often inevitable. What do you do if it 
happens? Mike Mullins offers some pointers for notifying those affected.

News broke recently about one of the largest known security breaches at 
a university. A database break-in at the University of California, Los 
Angeles has reportedly exposed the private information of about 800,000 
people.

While this is the latest in a long line of similar stories, don't let 
the huge number of potential victims sway your attention. When it comes 
to security breaches, it's important to remember that old adage about 
quality vs. quantity.

Data breaches aren't just about a hacker breaking into a network and 
stealing information. In fact, they come in all shapes and sizes:
    
* A data breach can occur with a lost or stolen laptop that has 
  someone's social security number.
    
* A data breach can occur with a lost BlackBerry that has personal 
  information about employees or customers.
    
* A data breach can occur with a fax that includes financial information 
  that's thrown away instead of shredded.

In other words, a data breach can happen any time an unauthorised 
individual has access to sensitive or private information. It's 
important to remember that a variety of factors can lead to this 
exposure.

Regardless of size, every network will experience some form of data 
breach at some point. And users are becoming increasingly more savvy 
about identity theft and sensitive to the long-term damage it can cause 
to their finances.

So when the inevitable data breach happens, what do you do? Establishing 
notification procedures in advance will help you better deal with the 
problem when it occurs. Planning now will help mitigate the damage from 
a customer/employee relationship standpoint later -- and it's the right 
thing to do.

When a data breach occurs, you obviously need to notify those affected. 
You definitely do not want to tell people that someone accessed their 
personal information in an e-mail. Users could easily mistake such an 
e-mail as a phishing attempt and delete it without reading it.

While this is the electronic age, there's a better method for delivering 
the bad news -- snail mail. The postal service will ensure delivery to 
the person -- and usually even if they've moved to another address.

Deciding how to notify people is the easy part -- deciding what should 
go in that notification can be a lot trickier. First of all, describe 
what happened.

Don't give out information that could compromise the investigation, but 
do tell people in nontechnical terms how it happened as well as what 
information the breach exposed or lost. Tell them what your organisation 
is doing to remedy the situation, and make sure you include contact 
information.

If identify theft is a possibility, explain how they can try to protect 
themselves. Tell people how to contact the credit reporting agencies to 
put a fraud alert on their accounts.

In addition, the Identity Theft Resource Center is an excellent source 
of information. Include a link to the Web site in your correspondence, 
and encourage people to take active steps to protect their financial 
information.

If law enforcement is involved in the case, provide the contact 
information for the officer working the case, as well as the case report 
number. This is information people may need to repair credit or obtain a 
job if they become a victim due to the breach.

Finally, if the breach is wide enough, contact the credit reporting 
agencies first to determine whether identify theft is taking place as a 
result of the breach. If you uncover evidence of identify theft, offer 
some form of credit monitoring service in the notification. This could 
mitigate the damage done to both the individual and your company.


Final thoughts

While your organisation should take every security precaution to protect 
its data, a security breach is often inevitable. Too much information 
stored in too many places provides too much temptation.

Losing control of someone's personal, privacy, or financial information 
can put your company at risk in many ways. How you handle the loss after 
the fact will speak volumes to your employees and customers (both 
current and future). Developing some simple procedures before a loss 
occurs and implementing them when it happens can go a long way to 
mitigating the damage.

-=-

TechRepublic is the online community and information resource for all IT 
professionals, from support staff to executives. We offer in-depth 
technical articles written for IT professionals by IT professionals. In 
addition to articles on everything from Windows to e-mail to firewalls, 
we offer IT industry analysis, downloads, management tips, discussion 
forums, and e-newsletters.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Wed Dec 20 2006 - 22:49:07 PST