What, When and How to Respond to a Data Breach

By Lamont Wood
Fri, April 27, 2007

Computerworld

There's been a data breach. It happened 268 times during 2006 (according to the Privacy Rights Clearinghouse). Now, it's happened to your organization. What do you do?

Well, you might want to obey the 33 or so state laws that govern when and how you should notify the people named in those exposed files, gently breaking it to them that, because of you, they're now naked to identity theft. The laws are hardly copies of each other, but the standard bearer is California SB 1386. The California Office of Privacy Protection has 30 pages of recommendations on how to comply with it.

If you're with a financial institution, specific federal laws apply, and the Federal Trade Commission has its own list of recommendations, including a model notification letter.Obviously, the situation is complex and fraught with legal hazards -- and the experts agree that your only hope of navigating them successfully is to have a contingency plan written in advance.

"You need practical things like a plan and committee, and a decision about who is going to be on that committee," said David Taylor, vice president at Protegrity Corp., a data security management firm in Stamford, Conn. Taylor, who writes data breach contingency plans, suggested that the committee include representatives from the organization's business units, plus the corporate attorney, the corporate compliance officer or equivalent, someone (such as a public-relations officer) who can address the issue of reputation damage, and someone who reports to the chief financial officer.

Having convened, there are four things the committee must do, explained John Pescatore, analyst at Gartner Inc.:

  •  Begin the customer notification process;
  •  Start the breach containment process;
  •  Decide whether to involve law enforcement; and
  •  Perform a post mortem.

When it comes to notification, the committee should act quickly. "Time is of the essence," noted Larry Ponemon, head of the Ponemon Institute, a research firm in Traverse City, Mich., covering privacy, data protection, and information security policies. "You want to make sure that you get your message out hours and hopefully days before it appears in the media."

"One of the primary causes of legal action is the accusation that you knew sooner than you told," added Rob Scott, managing partner at Scott & Scott LLP, a law and technology services firm in Dallas.

But while moving fast, "Be surgical when identifying who is at risk -- a big mistake we see many times is that they think that by casting a wide net they will be seen as a more responsible organization," Ponemon cautioned. "Don't send a notification letter to people who don't need it. Those who get the letter will either under-react and do nothing, or overreact and do things that are not required, like throwing away their credit cards or constantly calling credit bureaus. The letter is always seen as a negative issue."

Continue Reading

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
Whether your data center is large or small, it faces a similar set of roadblocks to efficiency, uptime, and ROI. This white paper reveals the six most common and intractable problems facing the data center and explains how to rectify them while improving efficiency and uptime.
Innovations are changing the role procurement plays within the enterprise. SAP's Chris Salis, Global Vice President of Procurement Solutions, and Emily Rakowski, Senior Director and Head of Procurement Solutions Marketing discuss how SAP Procurement Solutions are the strategic differentiators of innovation.
In August 2011, Benny Kirsh was named VP and CIO at Infoblox, an industry-leading developer of network infrastructure automation and control solutions. With more than 25 years of experience, Kirsh is responsible for driving strategic advancements via the company's IT infrastructure and applications.
In this Quest white paper, gain a deeper understanding of all the dangers involved with privileged account ("super user") management. Learn to mitigate risks by enabling granular access control and accountability for admin or super user accounts. Read it today.
As more and more CIOs are beginning to see significant benefits from letting employees choose the device they use to get their jobs done, the Bring Your Own Device (BYOD) trend is spreading. According to the Computerworld Consumerization of IT Study, about half of the 604 respondents said their organizations allow employees to do work using their own devices either away from the office or at work. Whether these devices are smart phones, tablets, or laptops that are used in the office or while working remotely, companies that embrace this trend are finding their employees are more productive and experience greater job satisfaction. What's more, enterprises can significantly reduce up front costs and allow for flexible work hours by letting employees use their device of choice anytime, from anywhere.
In this paper, we analyze the delivery of live and on-demand mobile video content. It focuses on specific ways in which organizations can follow best practices to ensure the experience of video communication is maximized for viewers, while keeping corporate networks running smoothly.
Date/Time: June 5, 2012, 11:00 a.m., EDT, 4:00 p.m. BST / 3:00 p.m. UTC

Please join us for this webcast, as Dr. Barry Devlin, Founder and Principal, 9sight Consulting, describes what operational analytics can do for your business and reviews an architectural approach that will enable you to make it a reality.
Have you been thinking about what it would take to start using virtualization? Or do you know the basics and want to find out more? No problem. This webcast is designed for anyone with little to no knowledge of virtualization technology. Attend this webcast to learn:

-A basic overview of the business value of the technology and some key capabilities that make virtualization so valuable to IT and the businesses you serve.
-The basics for creating virtual machines and the key choices that can be made along the route to deployment.
View this on demand webcast to learn if moving business communications to the cloud is right for your business. Featured industry experts DMG Consulting LLC president, Donna Fluss, Frost & Sullivan principal analyst, Michael DeSalles, and Interactive Intelligence senior vice president, Joe Staples discuss this topic and help you answer your pressing questions at the conclusion of this web event.
In this webcast, Vantage Point Performance's Michelle Vazzana will reveal how to coach your reps to better performing pipelines.
In this webcast produced by the Sales Management Association (SMA), Forrester's Scott Santucci will explore the new sales paradigm and discuss how businesses must transform their selling models into dynamic, communications-intensive systems, empowering individual sellers to define, create and deliver value to customers.
SAP Sales OnDemand is intuitive, leveraging social collaboration capabilities you already know how to use. It enables fast, effective team collaboration and account management to help you sell more effectively. Watch the video to see how!
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all Newsletters | Privacy Policy
Sponsored Links

High performance. Delivered. Click to see Accenture's client successes

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Click to see how Accenture has delivered high performance to clients

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center