Warming Up for a Data Breach
Figuring out the appropriate tone to take during a cybersecurity event has evolved into a workout routine.
- By Dian Schaffhauser
- 08/15/12
The irony was painful. At the same time that the dean of Stanford University's School of Medicine was warning about the dangers of "amassing medical information in digital form" in a 2012 summertime editorial in a university publication, the institution's hospital was notifying 2,500 patients that somebody had stolen a laptop with their personal information stored on its hard disk from a physician's locked office. The computer was password protected and apparently outfitted with a program that would alert the school when it next connects to the Internet, but that hasn't happened yet.
That the theft happened nearly on the first anniversary of Stanford's last breach--affecting 20,000 patients--only heightened the cringe factor.
Stanford's July breach was accompanied by two other breaches reported at Oregon schools. On July 24, Oregon State University went public with news that it was notifying about 21,000 current and former students and employees that personal data was copied without their permission by a vendor in the course of upgrading software in the cashier's office.
About a week later, Oregon Health & Science University sent letters to the families of 702 pediatric patients after a USB drive containing sensitive information was stolen during a burglary at an employee's home. (The drive was in a briefcase that was taken during the theft.)
In each of these cases, the institutions made a point of emphasizing that they considered the risk for those affected to be minimal. As Aaron Howell, Oregon State's director of business affairs, expressed it, "While we believe the risk to the individuals we are contacting is low, we want to take the conservative approach and ensure that information is provided to people to let them make their own decisions on how best to protect themselves."
That's a fairly typical response these days from universities and colleges facing down a data breach: setting a tone of sincere regret. It's no longer standard operating procedure to immediately offer to purchase identity theft protection for potential victims anymore. Often they simply refer individuals to the free services offered by credit reporting agencies. Nor do the highest leaders in the organization step forward to take ultimate responsibility.
This may be a sign that schools--along with other types of organizations--have matured in how they prepare for and deal with data breaches. Already in 2012, 60 .EDU breaches have been announced, affecting 1.2 million individuals, according to the Privacy Rights Clearinghouse. During 2011 63 public data breaches were reported by educational institutions, affecting 573,000 people. Enough institutions have been through the crisis that best practices have surfaced for minimizing the impact and potential damage caused by these security events.
Kicking into Action
According to Kroll Advisory Solutions' Brian Lapidus, when a security breach has been uncovered, the time to notify your administrators is "as soon as possible." In an ideal situation, he said, "you already have an incident response plan in place and it covers this scenario quite comprehensively, by pinpointing exactly who to report the information to and what next steps should be. When a security incident is suspected, time is of the essence and it is important to investigate as soon as possible to determine if a breach has, in fact, occurred and, if so, what was lost."
Addressing the forensics aspects of a security incident quickly avoids the virtual equivalent of a crime scene that's been trampled with the footprints of curious bystanders.
"Forensics are all about analysis of a situation after it's occurred," said Ward Clapham, vice president of investigation and recovery services at security company Absolute Software. "This is only possible if the organization has access to a record of behavior and activity before and during the event. Along with understanding exactly what data was accessed, computer forensics can provide insight to the security incident that led to the breach. This will allow an organization to adjust their internal procedures to ensure the same incident doesn't reoccur. This can include everything from tighter security protocols to identifying and removing criminal elements from within the organization."
The analysis will ultimately be used by the institution in working with law enforcement. "The success of a police inquiry will depend upon their ability to collect strong evidence that can support a successful prosecution," Clapham explained. "We've been involved in 25,000-plus computer theft investigations, and it really boils down to how the unauthorized user was able to gain access the device and how they used the device once they had control of it. By providing this intelligence to law enforcement, they are able to identify and often prosecute the offender."
Analysis will also help determine the extent of the breach. As Kroll's Lapidus noted, "We have worked with several clients who initially believed they had lost hundreds of thousands of records, only to find out that what was actually accessible by the hacker turned out to be far less, and in some cases, no personally identifiable information was accessible at all."
The company worked on a case involving one university, for example, where a temporary employee was allowed to begin working in the accounting department even though her background check was still in process. When that report came back with news that the temp had been convicted twice for identity theft in other states, she was let go immediately. But within two weeks two employees came forward indicating that they'd been contacted about credit cards they hadn't applied for and never received. The school quickly offered its employees--1,900 people--credit monitoring services.
Only after a forensic analysis by Kroll, however, did the university learn that the temp had really only been able to access and copy information from 25 employees, for whom she'd been given W-4 forms to work on for tax purposes. Those staff members were notified and given access to an investigator at Kroll who could work on their behalf in resolving potential identity theft issues. At the same time, the police were able to use the fraudulent credit card applications, which referenced an old address for the temp, to track her down.
With the Victims, Take a Breather
Interestingly, the amount of time to take in notifying potential victims is a different matter.
A 2010 study by research firm Ponemon Institute found that while more organizations favor rapid response to data breaches, it may cost them more in the end. As reported by Ponemon in "Annual Study: U.S. Cost of a Data Breach," 43 percent of companies notified victims within a month of discovering a data breach. Yet, the report stated, "these 'quick responders' paid significantly more per record than companies that moved more slowly." In 2010, quick responders had a per-record cost of $268; companies that took longer paid $174 per record.
On this point the researchers concluded, "Moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation, and notification phases." They added that at least some of the responsiveness may be unavoidable, a result of organizations responding to perceived regulatory pressures, such as state and federal data protection laws.
More practically, noted Kroll's Lapidus, before sending out a notification letter to those whose data has been exposed, "You want to have the facts of the breach sorted out... This is a very difficult decision for most organizations to make--they are acutely aware that the clock is ticking and that they need to get this information to victims as soon as possible."
As Lapidus pointed out, "If you notify too quickly, you increase your chances of notifying the wrong people or conveying incorrect information. This can cause needless worry among your constituents and can also damage your reputation. Which is better, to notify a thousand people that their credit card information was compromised or to notify a hundred thousand people that their credit card information and possibly their SSNs, birthdates, and other information contained in a record set may have been hacked?"
Ultimately, coordination of these "fast twitch" and "slow twitch" responses requires being preemptive and responding to a security incident before it happens. That in turn calls for continual build-up and routine practice of a response plan specifically dealing with a data breach. By working those muscles, said John Livingston, Absolute's chairman and CEO, "an organization can lessen the impact and even obviate a data breach."