Data Breach: How and When to Say "We Screwed Up"

One man's experience of a near large-scale data breach.

by / September 30, 2008

"Fall Out." That was the term used by the shipping company when Dormitory Authority's back-up tapes went missing. On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York City, the tapes literally had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information (PPSI) of over 600 employees and approximately 3,000 vendors. The shipping company needed five days to conduct a formal search to determine if the tapes were in fact lost, or just misplaced.

In the mean time, Dormitory Authority's compliance officer Michael Springer was faced with a dilemma: Do we alert our vendors and employees that there has been a security breach or wait five days to make the decision? Within two days time, senior management decided to meet and exceed all disclosure requirements. "If there [are] time requirements, we're going to beat them. If there's criteria laid out, we're going to exceed it. We want to be forthright and very responsible for this entire situation," said Springer. And so began the disclosure process.

The first step was to determine exactly what kind of information was on the tapes and who it would affect. The five tapes were nightly back-ups of various systems. The two most critical systems housed the financial management application and the employee time-keeping application. Both of these applications contained PPSI -- and neither were encrypted. Social security numbers and tax ID numbers of thousands of vendors and hundreds of employees were now compromised.

The organization then notified New York's Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), the Attorney General and the state's Consumer Protection Board of the situation.

Next they had to decide how to notify everyone whose information had potentially been compromised. Could an e-mail be sent? Do letters need to be mailed? In the case of Dormitory Authority, letters were written to each of the employees, past and present, who had been affected. In addition to this, e-mail notification went to current employees, while staff located former employee contact information. For former employees who lived out of state, new addresses and contact needed to be found. The organization also had to find and research nine other states' disclosure laws so as to comply with those as well.

The organization had many things to consider when examining the disclosure process. There was the cost of having the letters and envelopes printed, the cost of stamps and the staffing needed to stuff, seal and send over 600 letters. There was the cost of hiring a credit monitoring service to monitor each employee's credit for a year. They also had employees from the Purchasing Department establish a hot line to field questions from employees and vendors.

"We were reaching out, trying to provide ways for people to contact us, so that we could help them through [this] situation we had put them in," said Springer.

These are the often overlooked repercussions of a security breach that most companies do not consider until they are actually faced with such an occurrence. According to Springer, "it's not all just lawyers and techies." People from nine different business units of the company were involved in the process: Information Services, Human Resources, Internal Affairs, Purchasing, Internal Controls, Building Management, Communications, Marketing and Executive Direction. It was a collaborative effort and the process would not have been successful without the help of all the units involved.

On the fifth day of the formal search, the shipping company informed the organization that the tapes had been found. They assured them that the tapes had been in their possession the entire time and so it was determined that

there had, in fact, been no breach of security at all.

There were many things to be gained from this "exercise." Springer says that his organization is now fully prepared to deal with a breach of this kind, should a similar situation present itself. They are now also exploring different types of encryption and how to use each for the most effective data protection.

"Not all data loss is the result of a malicious act, attack or hack. We all think there are sinister forces out there; they're sniffing the air, they're sniffing the wires, they're in our devices -- they want the information and they are going to try to steal it from us one way or another. In our case, it was caused by simple, human error," said Springer. Organizations need to be prepared for the worst so as not to be caught off guard when something as simple as "fall out" occurs.