How to respond to a data breach

Michael Cooney

Data breaches seem to be happening at an absurdly rapid rate these days with reported incidents involving the theft of personally identifiable information hitting 25,566 in 2013 up from 10,481 in 2009.

Those figures are from testimony the Government Accountability Office will today present to a congressional hearing "Data Breach on the Rise: Protecting Personal Information From Harm."

The GAO stated that data breaches involving personal information can occur under many circumstances and for many reasons. They can be inadvertent, such as from the loss of an electronic device, or deliberate, such as from the theft of a device or a cyber-based attack by a malicious individual or group, foreign nation, terrorist, or other adversary. Incidents have been reported at a wide range of public-and private-sector institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; retailers; and other types of businesses.

"The loss or unauthorized disclosure or alteration of the information residing on federal systems, which can include [personal information], can lead to serious consequences and substantial harm to individuals and the nation," the GAO stated.

In its testimony the watchdog agency presented an outline of how government IT entities in particular should handle data breaches. The details of the suggested response is certainly applicable public and private firms as well.

From the GAO report:

Establish a data breach response team
While technical remediation is usually handled by IT security staff, agencies should create a team to oversee responses to a suspected or confirmed data breach, including the program manager of the program experiencing the breach, chief information officer, chief privacy officer or senior agency official for privacy, communications office, legislative affairs office, general counsel, and the management office which includes budget and procurement functions.

Train employees on roles and responsibilities for breach
Agencies should train employees on their data breach response plan and their roles and responsibilities should a breach occur. Specifically, the US Office of  Office of Management and Budget (OMB) requires agencies to initially train employees on their privacy and security responsibilities before permitting access to agency information and information systems and thereafter provide at least annual refresher training to ensure employees continue to understand their responsibilities.

Prepare reports on suspected data breaches and submit them to appropriate internal and external entities
Agencies should establish procedures for promptly reporting a suspected or confirmed breach to the appropriate internal management entities and external oversight entities. For example, the breach response team should be notified about all suspected or confirmed breaches. Further, agencies must report all incidents involving personal information to US-CERT within 1 hour of discovering the suspected or confirmed incident.

1  2  Next Page