After a security breach

The week he was promoted from acting to permanent CIO at the University of Connecticut, Michael Kerntke had his mettle tested by the June 20 discovery of a rootkit on a system housing the names and Social Security numbers of 72,000 employees, students and alumni.

An investigation found that the rootkit, an attacker tool for compromising computer systems without detection, hadn't been touched since it was installed in October 2003. That made it highly unlikely personal records were ever copied off the server. Still, Kerntke persuaded senior administration to err on the side of caution and go public with the breach.

The frenzy had finally died down that Friday, but at 7 p.m. as he neared his driveway in his Chevy Tahoe, he got another call from his public relations manager. A channel 3 news crew was waiting for him back at the data center and needed him to show them around.

"I never thought when I took this job that I'd be on TV," says Kerntke, who not only kept his job despite the breach, but also earned accolades from school administrators for his ability to communicate the extent of the damage to a non-technical news audience and to be available for interviews at odd hours.

Facing the limelight is part of the way IT executives' jobs are getting more challenging as a result of new rules to report private data breaches. There's also the other work involved - the investigations, repairs and notifications arising from data breaches that expose personal information. In all, 80 such breaches went public between Feb. 15 and Sept. 29, according to the Privacy Rights Clearinghouse.

While IT executives don't seem to be losing their jobs over the rising number of publicly reported breaches, their companies are experiencing severe losses, starting with an exodus of customers and customer loyalty. According to a September survey of 10,000 adults conducted by the Ponemon Institute, a privacy research organization, 19% of respondents ended their relationships with companies reporting breaches, and 58% say they have lost trust.

Publicly held companies also suffer a 5% stock drop in the wake of such a disclosure, according to the 2003 study "The Economic Cost of Publicly Announced Information Security Breaches" published in the Journal of Computer Security. And the cost of informing affected parties also is expensive, ranging anywhere from $15 to $35 per victim, according to Jonathan Penn, principal analyst for identity and security at Forrester Research.

POOR RESPONSE Kaiser Permanente • The Northern California HMO was fined $200,000 in August for failure to properly investigate and report a mistake that exposed a handful of patient lab records. Mary Henderson, vice president of IT compliance, was not able to determine who was responsible. GOOD RESPONSE UC-Berkeley • When a laptop was stolen from the graduate department that contained personal information about 98,400 alumni, Shelton Waggener, director of central computing, launched an informational Web site, now emulated by other universities responding to data breaches. POOR RESPONSE CardSystems • Visa’s vice president of risk management, John Shaughnessy, opted to pull the plug on payment card processor CardSystems after it violated card industry payment standards set ahead of time to prevent breaches such as the one that exposed 40 million cards in June. GOOD RESPONSE University of Connecticut • Following the June 20 discovery of a rootkit on a system housing personal information on 72,000 employees, students and alumni, U-Conn CIO Michael Kerntke opened his data center to the media and explained to them, in plain English, the level of risk to the data on the compromised server. ISABELLE CARDINAL

Click to see: