[ISN] Data Scandal
InfoSec News
isn at c4i.org
Tue Oct 4 01:49:45 EDT 2005
http://www.computerworld.com/securitytopics/security/story/0,10801,105065,00.html
By Mary Brandel
OCTOBER 03, 2005
COMPUTERWORLD
A data scandal roll call would include big names in nearly every
industry. Bank of America, LexisNexis, Time Warner, DSW Shoe
Warehouse, T-Mobile and the University of California, Berkeley, to
name a few, have recently experienced data security breaches. And some
experts say that there are hundreds if not thousands of other,
less-publicized cases in which sensitive personal data has been
compromised.
"There's the hospital that unwittingly exposes a couple of AIDS
patients, or the bank that inadvertently discloses to a creditor
someone's complete financial background," says Diana McKenzie, who
chairs the IT group at Neal, Gerber & Eisenberg LLP, a Chicago law
firm. "There are tons and tons of examples like that."
For CIOs, this trend means two things: It may not be a case of whether
your company will experience a data security breach but when it will
experience such a breach. And, particularly if you're one of the
unlucky 10% or less who find their stories blasted throughout the
national news media, you'd better know beforehand how you're going to
respond when a breach occurs.
A New Reality
"In days gone by, you could have thrown up your hands and said, 'Geez,
this was an accident,'" says Scott Sobel, vice president at Levick
Strategic Communications in Washington. "But now people are more
familiar with IT processes, and they may believe that if controls
weren't in place, someone was negligent or malicious."
That's why your immediate response to a security breach is
all-important. And it's not enough to lean on processes you've put in
place to respond to more traditional threats such as viruses and
hacker infiltration. Today, threats can emanate from sources as varied
as fraudulent businesses or tape thieves.
"The failures in the business processes that have occurred this year
are causing organizations to redesign the way they respond to future
incidents or anomalies," says Rich Baich, managing director at
PricewaterhouseCoopers and former chief information security officer
at ChoicePoint Inc. in Alpharetta, Ga. Earlier this year, it was
revealed that ChoicePoint had released consumers' personal financial
information to data thieves posing as legitimate businesses.
One important change worth considering, Baich says, is to create and
publicize a central mechanism for employees or the general public to
report possible breaches, including incidents involving low-tech
actions such as fraud or tape theft. There should be a response team
that follows an established set of protocols, not unlike those of
customer service hot lines, where a trained group follows a decision
tree and escalates its response depending on the nature of the
problem.
The exact response protocol will be unique to each organization. Some
may want to report directly to the general counsel, others to the
CISO, and others to the president of the company. However you choose
to do it, the escalation procedure should be defined and agreed upon
in advance.
"It needs to be something that says, 'During Christmas time, from this
hour to this day, John Brown is head of the team, and he'll have
access to this attorney and this PR person and this decision-maker and
this representative of the union, instantly,'" Sobel says.
Having a central point of contact would also help avoid the common
problem of not taking incident reports seriously, McKenzie says. "If a
busy executive gets a call from a person outside the company who
doesn't sound sophisticated, or from someone lower in the organization
who thinks something odd is happening, there's a tendency to dismiss
it," she says. "I can't tell you the number of times I've had a person
forget to get the phone number or even the name of the person who
called."
Teamwork
The word team can't be overemphasized, McKenzie says. The days are
gone when IT worked in isolation on security incidents. The public
relations and legal departments need to be involved as soon as
possible, even as you're still figuring out the depth and breadth of
the problem. "While you're starting to fix, document and understand
the problem, you want to start the lawyers mitigating risk and the PR
folks preparing communications," McKenzie says.
"The IT guy keeping it to himself is a really bad idea," she adds. Not
only are there disclosure requirements, but your public relations
people will also need some lead time to fully understand the problem
and prepare a response.
At Vanguard Managed Solutions LLC, IT works hand in hand with the
legal and marketing departments during times of crisis. In the
300-employee managed services provider in Mansfield, Mass., security
incidents are escalated to management-level employees in the network
operations center, says Eric Welz, senior solutions architect. If the
incident is determined to be severe enough, marketing, legal and IT
work together to determine how it should be communicated to clients.
Now more than ever, lawyers are crucial for correctly interpreting and
responding to federal and state privacy laws. For example,
California's Senate Bill 1386 requires organizations to disclose
security breaches that involve private information about California
residents. California Assembly Bill 1950 requires "reasonable
security" controls for California residents' data. The Washington
state government also recently enacted several bills addressing
security breaches, and other states may soon follow.
Your legal department might decide to involve local law enforcement,
which could affect whether your company is allowed to disclose any
information about the breach. If the police ask you to keep mum
because they've determined that public disclosure would inhibit the
investigation, be sure to get a letter documenting that request to
avoid conflicts later, Baich says.
Some experts suggest that companies develop boilerplate language to
enable a faster response. "Disclosures are sometimes required to
happen quickly, and that's not the time to start with a blank piece of
paper," says Peter Gregory, chief security strategist at VantagePoint
Security LLC in Bellevue, Wash.
Deliberate Speed
But don't rush. "You don't want to wait two days, but you can wait 20
minutes," says Gregory. "You need to follow the emergency procedures
so that when the PR person is in front of the microphone, the
information has flowed properly from the point of discovery, through
IT management and sideways to PR and legal."
Or, as McKenzie puts it, "respond with cautious speed. On the one
hand, a delay in responding can be fatal, but on the other, you need
to have a reasoned response, because this could be broadcast all over
the country."
To avoid accusations that you didn't work quickly enough to solve a
problem, McKenzie suggests calling in an IT forensics consultant --
even if you think your IT staff is talented enough to analyze Web logs
and other records effectively. "It shows you're taking it seriously:
'We hired this gunslinger to help solve the problem expeditiously,'"
she says. "If someone sues you for damages, it looks good from a PR
standpoint that you hired someone immediately."
You should keep a fact-finding log to record any actions that the
security team takes and any people it contacts, and that log should
include the precise timing of every action. "When that's all logged,
it's easier when someone asks what happened," Baich says.
Finally, when it comes time to communicate with customers or the
general public, "be understanding and reassuring," says McKenzie.
"There's a tendency for people harmed by these incidents to sense a
lack of empathy for their situation." A kind and caring attitude on
your part may lessen the chance of lawsuits and other litigious
behavior, she says.
"A security disaster will cause many to doubt the company's ability to
continue operating," Gregory says, "so you need to respond with
well-thought-out statements that give the media and customers
confidence that you're in control and are dealing with it."
Brandel is a Computerworld contributing writer in Newton, Mass.
Contact her at marybrandel at verizon.net.
More information about the ISN
mailing list