Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

Data Breach: How and When to Say "We Screwed Up"



September 30, 2008 By

"Fall Out." That was the term used by the shipping company when Dormitory Authority's back-up tapes went missing. On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York City, the tapes literally had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information (PPSI) of over 600 employees and approximately 3,000 vendors. The shipping company needed five days to conduct a formal search to determine if the tapes were in fact lost, or just misplaced.

In the mean time, Dormitory Authority's compliance officer Michael Springer was faced with a dilemma: Do we alert our vendors and employees that there has been a security breach or wait five days to make the decision? Within two days time, senior management decided to meet and exceed all disclosure requirements. "If there [are] time requirements, we're going to beat them. If there's criteria laid out, we're going to exceed it. We want to be forthright and very responsible for this entire situation," said Springer. And so began the disclosure process.

The first step was to determine exactly what kind of information was on the tapes and who it would affect. The five tapes were nightly back-ups of various systems. The two most critical systems housed the financial management application and the employee time-keeping application. Both of these applications contained PPSI -- and neither were encrypted. Social security numbers and tax ID numbers of thousands of vendors and hundreds of employees were now compromised.

The organization then notified New York's Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), the Attorney General and the state's Consumer Protection Board of the situation.

Next they had to decide how to notify everyone whose information had potentially been compromised. Could an e-mail be sent? Do letters need to be mailed? In the case of Dormitory Authority, letters were written to each of the employees, past and present, who had been affected. In addition to this, e-mail notification went to current employees, while staff located former employee contact information. For former employees who lived out of state, new addresses and contact needed to be found. The organization also had to find and research nine other states' disclosure laws so as to comply with those as well.

The organization had many things to consider when examining the disclosure process. There was the cost of having the letters and envelopes printed, the cost of stamps and the staffing needed to stuff, seal and send over 600 letters. There was the cost of hiring a credit monitoring service to monitor each employee's credit for a year. They also had employees from the Purchasing Department establish a hot line to field questions from employees and vendors.

"We were reaching out, trying to provide ways for people to contact us, so that we could help them through [this] situation we had put them in," said Springer.

These are the often overlooked repercussions of a security breach that most companies do not consider until they are actually faced with such an occurrence. According to Springer, "it's not all just lawyers and techies." People from nine different business units of the company were involved in the process: Information Services, Human Resources, Internal Affairs, Purchasing, Internal Controls, Building Management, Communications, Marketing and Executive Direction. It was a collaborative effort and the process would not have been successful without the help of all the units involved.

On the fifth day of the formal search, the shipping company informed the organization that the tapes had been found. They assured them that the tapes had been in their possession the entire time and so it was determined that


| More

Comments

John Franks    |    Commented October 1, 2008

These data breaches and thefts are due to a lagging business culture. Read some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations.

John Franks    |    Commented October 1, 2008

These data breaches and thefts are due to a lagging business culture. Read some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations.

John Franks    |    Commented October 1, 2008

These data breaches and thefts are due to a lagging business culture. Read some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations.

John Franks    |    Commented October 7, 2008

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html

John Franks    |    Commented October 7, 2008

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html

John Franks    |    Commented October 7, 2008

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All