In 2007, there were 329 reported security breaches in the U.S., according to the Privacy Rights Clearinghouse. That's millions of names, Social Security numbers, credit card numbers and other personal information, lost by or stolen from universities, government agencies and private businesses (small and large).
A few of those breaches remain high-profile, like the one involving Framingham, Mass.-based The TJX Cos., which reported in January 2007 that credit card information for as many as 94 million customers was compromised. And there were the lesser-known breaches, such as Goshen College and a bank in Wichita, Kan., where a hacker viewed personal data of some 20 customers.
More on data breaches
Michael Sherer, director of IT at Goshen College in Indiana, is one of the initiated. Last year, a hacker accessed the college's admission server, compromising the personal data of 7,300 students and parents. Under state law, the college was required to notify all those involved of the breach.
Whether it makes headlines or not, keepers of personal data are required by state law to notify customers (and other concerned parties) when data has been compromised. California was the first state to require notification, the result of a 2003 law written after hackers accessed state employees' personal information in 2002. Other states soon followed suit, though the laws are far from uniform. Today, 42 states and the District of Columbia have passed some form of data breach notification legislation. The remaining eight states are considering similar bills.
Better to have and not need
Security breaches happen even to the prepared, even to the properly secured. But though losing personal data to thieves takes control from the hands of IT, CIOs do maintain some control over what happens afterward. Experts say readiness is the key to a successful breach notification response.
Notification in five
When a hacker gained access to students' personal information at Goshen College in Indiana last year, IT director Michael Sherer had to helm the state-mandated notification process. Staff members at the school managed to complete the process in the first five days. The timeline:
May 8, 2007: A Sophos product detects an attack on workstations. The source of the attack is a server in the admissions office. The server is taken offline and the breach is determined to be a hack. Internal forensics begin. The nature of the breach triggers the Indiana notification law. Working with admissions, IT determines exactly whose records were viewed. A first-draft notification letter is written. Collaborative work begins with public relations, student life, legal counsel and other school departments.
May 9: Legal counsel determines that letters must go to all affected students, not just Indiana residents.
May 10: The state attorney general's office is contacted.
May 11: A phone hotline is established. The letter is finalized and approved by legal counsel. Public relations develops a set of message points and frequently asked questions for staff speaking with the public. The letter is sent to 7,300 potentially affected people. Public relations statements are released on the college's website.
May 12: Unused Social Security numbers are removed from the system. Three major credit agencies are notified of the breach.
"You shouldn't assume just because you have a crisis communications plan that it actually covers a data breach," said Jim Maloney, president and CEO of Cyber Risk Strategies LLC in Santa Fe, N.M., and a breach notification consultant. "One of the worst things would be to get the call from the media to have to explain this or having to scramble to put together about 20 different breach letters."
A company must comply with the notification law for each state where a customer whose data has been lost resides. And it's complicated. Each law differs, from its definition of "personal information" to the amount of time allowed between breach discovery and notification and to what mitigating factors allow exemption from the law (see sidebar).
That's a lot of detail to dig into while simultaneously containing a breach, especially for midmarket companies less likely to have in-house legal counsel, press officers or dedicated information security departments.
Sherer elected to draft just one letter as he faced a notification. His 10-person IT staff was consumed with learning how a hacker accessed an admissions server and whose personal information may have been viewed.
"There was in no way any effort to say 'Oh, what is Kansas asking?'" Sherer said. "I think the assumption was 'If we act in good faith, in accordance with Indiana law and we notify everybody, then we'll be OK."
For the most part, his team was. Although the hacker could have viewed personal information, no one has reported identity theft or credit fraud, Sherer said. Both the state attorney general and FBI were notified, but neither elected to open a criminal investigation, he said.
Sherer drafted his letter, which was sent to most people by email, by researching other data breach letters and mimicking them where he thought it was appropriate.
"We'd actually gotten a similar type of disclosure from a dental insurance company that had exposed our students' data, so we had been familiar with that kind of communication," he said.
The college's initial response was quick, Sherer said, because it already had a crisis response team in place, meaning it was simply a matter of assembling the players, including legal counsel, public relations and the student affairs office.
Maloney suggests CIOs develop a pre-emptive plan, one that includes a sit-down with IT, a lawyer and whoever would direct media relations for the company in the event of a breach.
Many state laws require some description of how the breach occurred. The CIO should bring technical expertise to the table, ensuring the statement is accurate and that it doesn't compromise any active criminal investigation. Attorneys should be on hand to make sure the statement protects the company from any potential litigation.
"Because it's that three-way thing, you don't want to get those people together in a room for the first time to craft some of these letters," Maloney said. Time and money can be saved, he suggested, by analyzing the spectrum of state laws in advance to find a sort of highest-bar standard that will be fit with only one or two different notification letters (some state laws also allow phone calls and emails).
You don't want to get those people together in a room for the first time to craft some of these letters.
All of the advance work goes to cost savings. Companies lost, on average, $197 per record lost or stolen in 2007, an increase from $182 the year before, according to a recent study by the Ponemon Institute. Of that, $128 per record is the result of "customer churn and acquisition" in the wake of a breach.
Surveying 35 companies that experienced a breach, the study found the average total breach cost to be $6.3 million, which includes $4.1 million from lost business. The costs of the actual notification procedure have gone down, though, dropping from $25 per customer in 2006 to $15 per customer last year.
Sherer said the actual cost of his notification process was low, mostly because the college was able to send emails to most of the affected people. The time investment, he said, was huge. But going through the notification helped improve record-keeping at the school, with staff ditching unused personal information the school no longer had reason to keep, he said.
"When you have just taken every leader in the college and you've had to eat humble pie before all sorts of constituencies, that becomes a good opportunity to talk about how you're going to improve your security protocol," Sherer said.
Let us know what you think about the story; email firstname.lastname@example.org.