I recently got a call from another state technology leader who wanted a listening ear and some advice for the future. He’d just been interviewed by a local news reporter who asked him several questions on cybersecurity.
The reporter was friendly and helpful, but he was seeking reassurance that the state’s citizen data was being safely and adequately protected. He was looking for a feel-good story with the basic message “everything is fine here.” Since this was shortly after South Carolina’s data breach of more than 3.6 million records, my friend was especially concerned with his answer to one simple question: “Has our state experienced a data breach?”
Feeling caught off guard on this question, he said, “I am not at liberty to discuss this topic.” The truth is that his government had experienced a (very small) security breach in one department several months earlier, but he certainly didn’t want to talk about it to the press. No one wants to be in the headlines for an accidental news story that reflects badly on his/her government.
Since most states have breach notification laws, the reporter was clearly expecting a transparent yes or no answer — followed by a discussion of any relevant “yes” details. Since this reporter was trying to write a supportive story, he was surprised by the answer. Needless to say, the reporter’s reaction spooked my friend, leading to the phone call to me.
In reality, I think this situation is a fairly common dilemma that government technology professionals face. Of course, no one, including my friend, wants to lie. Furthermore, very few can say an unequivocal “no breaches,” without adding some caveat, such as “that I am aware of” or more likely “we’ve had no major breaches.” Still, who wants to explain the difference between major and minor breaches?
Digging even deeper, answering the breach question often gets somewhat complicated. Explaining a “minor breach” is a bit like telling your spouse you have easily treatable cancer. No one likes hearing the word “cancer” — even if the odds are good for a full recovery. Allow me to explain with a “very minor breach” story from Michigan government.
A few years back, we had a vendor who won a small contract award. The award announcement was supposed to be placed on a purchasing Web page in a secured area where only authorized vendors can gain access. However, the award announcement was mistakenly placed on a public-facing website. Since this contract was awarded to a sole proprietor, the company identification number listed was also that person’s Social Security number. Bottom line: This sensitive data was temporarily available to the public for more than 24 hours until the error was discovered and fixed.
In simple terms, we experienced a (very minor) data breach of one person’s sensitive information. In keeping with Michigan notification laws and internal government processes, the person was notified and the appropriate follow-up actions, such as issuing free identity theft protection, were taken.
While this type of internal error leading to a breach is rare, I believe that very small data breaches do occur in state, local and federal government offices more often than people realize. In the vast majority of cases, appropriate actions are taken to safeguard consumers and lessons are learned by staff regarding how to prevent future mistakes.
So are some data breaches inevitable? Probably. But we can certainly reduce the risk of breaches through in-depth training and cyberdefense.
Of course, minor breaches regarding a few sensitive records are very different than major data breaches involving thousands or even millions of records. Nevertheless, in the black-and-white world of the reporter’s simple question, I would need to acknowledge that Michigan did experience a minor data breach of sensitive data for one individual.
So what did I tell my friend? How would I answer that reporter’s question?
“Yes, we have had a very minor data breach in Michigan that was the result of internal administrative errors. Nevertheless, we’ve never experienced anything close to the scale of Utah or South Carolina so far.”
I would explain our cybersecurity plans, our data encryption, our actions to date and how seriously we take cybersecurity.
And, hopefully, my words don’t make the headlines.