A data scandal roll call would include big names in nearly every industry. Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile and the University of California, Berkeley, to name a few, have recently experienced data security breaches. And some experts say that there are hundreds if not thousands of other, less-publicized cases in which sensitive personal data has been compromised.
"There’s the hospital that unwittingly exposes a couple of AIDS patients, or the bank that inadvertently discloses to a creditor someone’s complete financial background," says Diana McKenzie, who chairs the IT group at Neal, Gerber & Eisenberg LLP, a Chicago law firm. "There are tons and tons of examples like that."
For CIOs, this trend means two things: It may not be a case of whether your company will experience a data security breach but when it will experience such a breach. And, particularly if you’re one of the unlucky 10 percent or less who find their stories blasted throughout the national news media, you’d better know beforehand how you’re going to respond when a breach occurs.
A New Reality
"In days gone by, you could have thrown up your hands and said, ’Geez, this was an accident,’ " says Scott Sobel, vice president at Levick Strategic Communications in Washington. "But now people are more familiar with IT processes, and they may believe that if controls weren’t in place, someone was negligent or malicious."
That’s why your immediate response to a security breach is all-important. And it’s not enough to lean on processes you’ve put in place to respond to more traditional threats such as viruses and hacker infiltration. Today, threats can emanate from sources as varied as fraudulent businesses or tape thieves.
"The failures in the business processes that have occurred this year are causing organizations to redesign the way they respond to future incidents or anomalies," says Rich Baich, managing director at PricewaterhouseCoopers and former chief information security officer at ChoicePoint Inc. in Alpharetta, Ga. Earlier this year, it was revealed that ChoicePoint had released consumers’ personal financial information to data thieves posing as legitimate businesses.
One important change worth considering, Baich says, is to create and publicize a central mechanism for employees or the general public to report possible breaches, including incidents involving low-tech actions such as fraud or tape theft. There should be a response team that follows an established set of protocols, not unlike those of customer service hot lines,