Steps to recovering from a data breach

Boston College’s head of security offers firsthand advice

CHICAGO – Successfully recovering from a data breach is done by putting customers’ needs first, says a security professional who did just that.

In dealing with a data breach at Boston College in 2005, when personal information of 100,000 alumni was potentially put at risk, David Escalante, director of computer policy and security, believes the organization made the best of a bad situation.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

CHICAGO – Successfully recovering from a data breach is done by putting customers’ needs first, says a security professional who did just that.

In dealing with a data breach at Boston College in 2005, when personal information of 100,000 alumni was potentially put at risk, David Escalante, director of computer policy and security, believes the organization made the best of a bad situation.

“It came out badly, in the sense that it happened, but it seemed to me that we were doing the right things, and I hope people recognize that,” he says.

The steps that Escalante says helped the college recover include:

* Apologize to the people potentially affected by the breach, and put their needs first. “We had to put our customers first, and not worry about the implications to ourselves,” he says. “If you treat your customer right, you’re going to be fine.”

* Don’t become defensive. “All too often people get defensive, and that’s not where you want to be,” he says. “And if you become defensive internally, people start to [worry about] covering their butts, instead of figuring out where the problem is.”

* Make sure the incident response team has the breadth to handle the breach. At Boston College, there already existed a team to respond to smaller threats, but the CIO decided to pull together a much larger team consisting of many different departments to deal with the data breach.

* Keep upper management off the main response team. Executives are key in making big decisions, but not moment-to-moment decisions, he says.

* Assume the worst. “That bought time for management to think about what to do in different scenarios,” he says. In the end, Boston College notified all 100,000 alumni whose records were on the compromised server, instead of taking the time to determine not all were accessed, which would have delayed notification.

* Give the affected customers a way to get their questions answered, and make sure the staff who answers them is prepared. Boston College worked up scripts for those employees answering the phone lines detailed in the notification letters.

Read more about security in Network World's Security section.