More than 220 million records containing sensitive personal information have been involved in a security breach in the United States during the past three years, according to the Privacy Rights Clearinghouse.
From ChoicePoint to Bank of America in 2005, to Ohio state government workers and the California Public Employees' Retirement System (CalPERS) in 2007, the breach stories keep coming regardless of an organization's size or business complexity. No organization escapes scrutiny in this new environment that threatens even the best-run technology shops.
As threats increase, new laws get tougher, and stories of personal tragedies resulting from identity theft become more compelling. Public CIOs now face the unwanted question: What will I do when a breach occurs here?
That's right. It's no longer if, but when.
I'm not suggesting you throw in the towel and admit cyber-defeat before you have a reportable incident. Operations teams and security plans already should be doing everything possible to prevent breaches from happening in the first place.
CIOs also need to make employee mistakes less costly. For example, encrypting laptops, USB drives and other portable equipment is a no-brainer since we know this portable equipment will sometimes be lost or stolen. The same can be said about protecting sensitive information on backup tapes.
You need a breach response plan that involves all the right players. Bring several people together: legal counsel, information owners, human resources, chief information security officer, chief privacy officer, public information officer, appropriate technology staff, and senior executives from the business side. If you're a small organization, you probably won't have all these player titles, but you should have these functions covered.
While most state legislation defines the parameters for sensitive information and the required breach reporting time frames, your plan also must address some basic questions: What steps must be followed to comply with state and federal laws? How will you determine if a breach has occurred? Who calls whom, even during off-hours? If a breach occurs, will credit protection coverage be offered?
While this is a business issue, typically, CIOs coordinate actions throughout the enterprise. The plan needs to include policies and procedures for all parts of the business, and instructions for all levels - from end-users to senior executives. Most organizations already have processes for lost equipment, so don't forget to integrate your new procedures into the existing approaches. An abundance of excellent online resources can help you learn more about what's needed and improve your plans.
Once processes and procedures are in place, a training and awareness program is essential. In Michigan, this initial step included Cabinet-level briefings, training for top business owners, and sending formal memoranda outlining the plan to all stakeholders. We also created a four-minute training video for all state employees on their personal responsibility to prevent identity theft, www.Michigan.gov/cybersecurity.
Finally, all plans must be tested. I recommend conducting regular tabletop exercises with everyone who has a role in the breach notification process. Since every scenario is different, new items will surely arise from discussions at exercises.
Without a plan, it is more likely CIOs will make mistakes that cause public embarrassment and divert essential resources to the wrong tasks. After a breach occurs, a crisis can ensue which inevitably leads to additional errors. At least part of this pain can be avoided with prior planning. Several IT executives have told me, "I wish I knew then what I know now," or "If only ...."
I advise CIOs at all levels to reach out to colleagues, listen to their war stories, borrow their ideas, get a copy of others' plans and procedures - most will share.
But most importantly, get your breach notification plan in place as a top priority.
