Government Technology

Data Breach: How and When to Say "We Screwed Up"



September 30, 2008 By

"Fall Out." That was the term used by the shipping company when Dormitory Authority's back-up tapes went missing. On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York City, the tapes literally had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information (PPSI) of over 600 employees and approximately 3,000 vendors. The shipping company needed five days to conduct a formal search to determine if the tapes were in fact lost, or just misplaced.

In the mean time, Dormitory Authority's compliance officer Michael Springer was faced with a dilemma: Do we alert our vendors and employees that there has been a security breach or wait five days to make the decision? Within two days time, senior management decided to meet and exceed all disclosure requirements. "If there [are] time requirements, we're going to beat them. If there's criteria laid out, we're going to exceed it. We want to be forthright and very responsible for this entire situation," said Springer. And so began the disclosure process.

The first step was to determine exactly what kind of information was on the tapes and who it would affect. The five tapes were nightly back-ups of various systems. The two most critical systems housed the financial management application and the employee time-keeping application. Both of these applications contained PPSI -- and neither were encrypted. Social security numbers and tax ID numbers of thousands of vendors and hundreds of employees were now compromised.

The organization then notified New York's Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), the Attorney General and the state's Consumer Protection Board of the situation.

Next they had to decide how to notify everyone whose information had potentially been compromised. Could an e-mail be sent? Do letters need to be mailed? In the case of Dormitory Authority, letters were written to each of the employees, past and present, who had been affected. In addition to this, e-mail notification went to current employees, while staff located former employee contact information. For former employees who lived out of state, new addresses and contact needed to be found. The organization also had to find and research nine other states' disclosure laws so as to comply with those as well.

The organization had many things to consider when examining the disclosure process. There was the cost of having the letters and envelopes printed, the cost of stamps and the staffing needed to stuff, seal and send over 600 letters. There was the cost of hiring a credit monitoring service to monitor each employee's credit for a year. They also had employees from the Purchasing Department establish a hot line to field questions from employees and vendors.

"We were reaching out, trying to provide ways for people to contact us, so that we could help them through [this] situation we had put them in," said Springer.

These are the often overlooked repercussions of a security breach that most companies do not consider until they are actually faced with such an occurrence. According to Springer, "it's not all just lawyers and techies." People from nine different business units of the company were involved in the process: Information Services, Human Resources, Internal Affairs, Purchasing, Internal Controls, Building Management, Communications, Marketing and Executive Direction. It was a collaborative effort and the process would not have been successful without the help of all the units involved.

On the fifth day of the formal search, the shipping company informed the organization that the tapes had been found. They assured them that the tapes had been in their possession the entire time and so it was determined that


| More

Comments

John Franks    |    Commented October 1, 2008

These data breaches and thefts are due to a lagging business culture. Read some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations.

John Franks    |    Commented October 1, 2008

These data breaches and thefts are due to a lagging business culture. Read some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations.

John Franks    |    Commented October 1, 2008

These data breaches and thefts are due to a lagging business culture. Read some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations.

John Franks    |    Commented October 7, 2008

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html

John Franks    |    Commented October 7, 2008

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html

John Franks    |    Commented October 7, 2008

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of "IT Wars" - http://www.businessforum.com/DScott_02.html


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Improving Emergency Response with Digital Communications
Saginaw County, Mich., increases interoperability, communication and collaboration with a digital voice and data network, as well as modern computer-aided dispatch.
Reduce Talk Time in Your Support Center by 40%
As the amount of information available to citizens and employees grows each year, so do customer expectations for efficient service. Contextual Knowledge makes information easy to find, dropping resolution times and skyrocketing satisfaction.
Emerging Technology Adoption in Local Government
In a recent survey conducted by Government Technology, 125 local government leaders shared their challenges, benefits and priorities when adopting emerging technologies such as cloud, mobility and IP. Read how your jurisdiction’s adoption of technology compares to your peers.
View All

Featured Papers