Data breaches seem to be happening at an absurdly rapid rate these days with reported incidents involving the theft of personally identifiable information hitting 25,566 in 2013 up from 10,481 in 2009.
Those figures are from testimony the Government Accountability Office will today present to a congressional hearing “Data Breach on the Rise: Protecting Personal Information From Harm.”
The GAO stated that data breaches involving personal information can occur under many circumstances and for many reasons. They can be inadvertent, such as from the loss of an electronic device, or deliberate, such as from the theft of a device or a cyber-based attack by a malicious individual or group, foreign nation, terrorist, or other adversary. Incidents have been reported at a wide range of public-and private-sector institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; retailers; and other types of businesses.
“The loss or unauthorized disclosure or alteration of the information residing on federal systems, which can include [personal information], can lead to serious consequences and substantial harm to individuals and the nation,” the GAO stated.
In its testimony the watchdog agency presented an outline of how government IT entities in particular should handle data breaches. The details of the suggested response is certainly applicable public and private firms as well.
From the GAO report:
Establish a data breach response team
While technical remediation is usually handled by IT security staff, agencies should create a team to oversee responses to a suspected or confirmed data breach, including the program manager of the program experiencing the breach, chief information officer, chief privacy officer or senior agency official for privacy, communications office, legislative affairs office, general counsel, and the management office which includes budget and procurement functions.
Train employees on roles and responsibilities for breach
Agencies should train employees on their data breach response plan and their roles and responsibilities should a breach occur. Specifically, the US Office of Office of Management and Budget (OMB) requires agencies to initially train employees on their privacy and security responsibilities before permitting access to agency information and information systems and thereafter provide at least annual refresher training to ensure employees continue to understand their responsibilities.
Prepare reports on suspected data breaches and submit them to appropriate internal and external entities
Agencies should establish procedures for promptly reporting a suspected or confirmed breach to the appropriate internal management entities and external oversight entities. For example, the breach response team should be notified about all suspected or confirmed breaches. Further, agencies must report all incidents involving personal information to US-CERT within 1 hour of discovering the suspected or confirmed incident.
Assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed. In addition to any immediate remedial actions they may take, agencies should assess a suspected or confirmed breach to determine if there is a likely risk of harm and the level of impact, if applicable.
The OMB has outlined five factors that should be considered in assessing the likely risk of harm: (1) nature of the data elements breached, (2) number of individuals affected (3) likelihood the information is accessible and usable, (4) likelihood the breach may lead to harm, and (5) ability of the agency to mitigate the risk of harm. Once a risk level is determined, agencies should use this information to determine whether notification to affected individuals is needed and, if so, what methods should be used. OMB instructed agencies to be mindful that notification when there is little or no risk of harm might create unnecessary concern and confusion. It also stated that while the magnitude of the number of affected individuals may dictate the method chosen for providing notification, it should not be the determining factor for whether an agency should provide notification.
Offer assistance to affected individuals (if appropriate)
Agencies should have procedures in place to determine whether services such as credit monitoring should be offered to affected individuals to mitigate the likely risk of harm. OMB instructed agencies that, while assessing the level of risk in a given situation, they should simultaneously consider options for attenuating that risk.
Analyze breach response and identify lessons learned
Agencies should review and evaluate their responses to a data breach, including any remedial actions that were taken, and identify lessons learned, which should be incorporated into agency security and privacy policies and practices as necessary. NIST recommended holding a “lessons learned” meeting with all involved parties after a major incident and periodically after lesser incidents, as resources permit, to assist in handling similar incidents and improving security measures.