Data breaches: Be prepared or prepare to pay by Michael Bruemmer
Earlier this year, hackers attempted to access the Office of Personnel Management’s database files of thousands of workers seeking high-level security clearances. It wasn’t the first such cyber attack from abroad against a U.S. agency, and it certainly won’t be the last. Fortunately, the alleged perpetration was detected and quickly blocked, and agency officials gave assurances that there had been no loss of personally identifiable information. But, as we know, not every cyber attack is so successfully thwarted. Could your agency act as promptly and as successfully? Unless your agency has an extra $5.4 million on hand, the average cost these days to repair a critical data breach, you should read this short primer on data-breach preparedness.
Meeting these increasing threats begins with one key proactive step: The creation of a response team led by a team leader that will develop a data-breach plan that must be updated, audited and tested every six months. Team members should include the agency director or an appointee from the senior executive service, as well as members of the security and public affairs offices and, of course, the IT staff.
The team creates a response team roster for its members and supervisors that will include names, contact information, proper precautions and procedures. The team leader is the intermediary between the members and managers, coordinating the overall response, managing timelines and documenting all efforts to repair the breach. The security and IT members instruct personnel on how to secure their offices and equipment promptly, take infected machines offline and preserve evidence of the breach for possible legal action. Additionally, consider contracting with a private data-breach resolution vendor — in advance of a breach — that will assign a dedicated account manager to your agency and step in to assist when a breach occurs. Your manager will handle escalations, tracking and reporting of the breach as well as offer secure services, such as notification, call centers and protection products for victims.
In addition to an agencywide training focus on breach preparedness and resolution, team members have specific responsibilities, including working with employees to integrate data-security awareness in their daily work habits. The teams also should develop data security and mobile policies and keep them current, invest in proper cybersecurity devices and firewall protection, and limit the types of both hard and electronic data that employees can access on a need-to-know basis.
Once a breach is detected, quick action by the team can help mitigate the incident and its consequences. The team promptly implements the response plan, engages the proper resources and tracks the remediation efforts. The IT staff and security personnel take the lead in plugging the breach and bringing the machines back online after they are fully scrubbed for viruses and other possible malware infections.
It’s important to create a data-breach incident checklist to collect, document and record as much information about the incident as possible and the specific steps taken to fix it, including why the steps were taken. If your agency has confidential or highly classified data, the security team member will call in relevant law-enforcement agencies to identify compromised data without compromising evidence.
Depending on the size and nature of the data breach, it may also become necessary for the public affairs team member to alert the media and the public. Keep in mind that it’s your agency’s responsibility to comply with laws and regulations on citizen and law-enforcement notifications, which can be a requirement under certain circumstances. Therefore, it’s important to review and stay up to date on both state and federal laws governing data breaches in your industry as well as state notification requirements. Such steps help limit the damage to personal data, preserve the agency’s good name and save it from the embarrassment of having to acknowledge the breach after the fact. Those affected should be contacted through the agency’s call center, by email or through the U.S. Postal Service, and told how the breach might affect them and what steps they need to take to safeguard their personal information.
Remember, by being prepared for a data breach, you can mitigate its malicious intent.