News broke recently about one of the largest known security breaches at a university. A database break-in at the University of California, Los Angeles has reportedly exposed the private information of about 800,000 people.
While this is the latest in a long line of similar stories, don't let the huge number of potential victims sway your attention. When it comes to security breaches, it's important to remember that old adage about quality versus quantity.
Data breaches aren't just about a hacker breaking into a network and stealing information. In fact, they come in all shapes and sizes:
- A lost or stolen laptop that has someone's social security number
- A lost BlackBerry that has personal information about employees or customers
- A fax that includes financial information which is thrown away rather than shredded
In other words, a data breach can happen any time an unauthorised individual has access to sensitive or private information. It's important to remember that a variety of factors can lead to this exposure.
Regardless of size, every network will experience some form of data breach at some point. And users are becoming increasingly more savvy about identity theft and sensitive to the long-term damage it can cause to their finances.
So when the inevitable data breach happens, what do you do? Establishing notification procedures in advance will help you better deal with the problem when it occurs. Planning now will help mitigate the damage from a customer/employee relationship standpoint — and it's the right thing to do.
When a data breach occurs, obviously you need to notify those affected. You definitely do not want to inform people by email that someone accessed their personal information. Users could easily mistake such an email as a phishing attempt and delete it without reading it.
While this is the electronic age, there's a better method for delivering the bad news — snail mail. The postal service will ensure delivery to the person — and usually even if they've moved to another address.
Deciding how to notify people is the easy part — deciding what should go in that notification can be a lot trickier. First of all, describe what happened.
Don't give out information that could compromise the investigation, but do tell people in non-technical terms how it happened as well as what information the breach exposed or lost. Tell them what your organisation is doing to remedy the situation, and make sure you include contact information.
If identify theft is a possibility, explain how they can try to protect themselves. Tell people how to contact the credit-reporting agencies to put a fraud alert on their accounts.
In addition, the Identity Theft Resource Center is an excellent source of information. Include a link to the website in your correspondence, and encourage people to take active steps to protect their financial information.
If law enforcement is involved in the case, provide the contact information for the team working on the case, as well as the crime reference number. This is information people may need to repair credit or obtain a job if they become a victim due to the breach.
Finally, if the breach is wide enough, contact the credit-reporting agencies first to determine whether identify theft is taking place as a result of the breach. If you uncover evidence of identify theft, offer some form of credit-monitoring service in the notification. This could mitigate the damage done to both the individual and your company.
Final thoughts
While your organisation should take every security precaution to protect its data, a security breach is often inevitable. Too much information stored in too many places provides too much temptation.
Losing control of someone's personal, privacy or financial information can put your company at risk in many ways. How you handle the loss after the fact will speak volumes to your employees and customers (both current and future). Developing some simple procedures before a loss occurs and implementing them when it happens can go a long way to mitigating the damage.
Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
