How to respond to a data breach

Data breaches seem to be happening at an absurdly rapid rate these days with reported incidents involving the theft of personally identifiable information hitting 25,566 in 2013 up from 10,481 in 2009.

Those figures are from testimony the Government Accountability Office will today present to a congressional hearing "Data Breach on the Rise: Protecting Personal Information From Harm."

The GAO stated that data breaches involving personal information can occur under many circumstances and for many reasons. They can be inadvertent, such as from the loss of an electronic device, or deliberate, such as from the theft of a device or a cyber-based attack by a malicious individual or group, foreign nation, terrorist, or other adversary. Incidents have been reported at a wide range of public-and private-sector institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; retailers; and other types of businesses.

+More on network World: The (mostly) cool history of the IBM mainframe | The worst data breach incidents of 2013

"The loss or unauthorized disclosure or alteration of the information residing on federal systems, which can include [personal information], can lead to serious consequences and substantial harm to individuals and the nation," the GAO stated.

In its testimony the watchdog agency presented an outline of how government IT entities in particular should handle data breaches. The details of the suggested response is certainly applicable public and private firms as well.

From the GAO report:

Establish a data breach response team

While technical remediation is usually handled by IT security staff, agencies should create a team to oversee responses to a suspected or confirmed data breach, including the program manager of the program experiencing the breach, chief information officer, chief privacy officer or senior agency official for privacy, communications office, legislative affairs office, general counsel, and the management office which includes budget and procurement functions.

Train employees on roles and responsibilities for breach

Agencies should train employees on their data breach response plan and their roles and responsibilities should a breach occur. Specifically, the US Office of  Office of Management and Budget (OMB) requires agencies to initially train employees on their privacy and security responsibilities before permitting access to agency information and information systems and thereafter provide at least annual refresher training to ensure employees continue to understand their responsibilities.

Prepare reports on suspected data breaches and submit them to appropriate internal and external entities

Agencies should establish procedures for promptly reporting a suspected or confirmed breach to the appropriate internal management entities and external oversight entities. For example, the breach response team should be notified about all suspected or confirmed breaches. Further, agencies must report all incidents involving personal information to US-CERT within 1 hour of discovering the suspected or confirmed incident.

Assess harm

Assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed. In addition to any immediate remedial actions they may take, agencies should assess a suspected or confirmed breach to determine if there is a likely risk of harm and the level of impact, if applicable.

The OMB has outlined five factors that should be considered in assessing the likely risk of harm: (1) nature of the data elements breached, (2) number of individuals affected (3) likelihood the information is accessible and usable, (4) likelihood the breach may lead to harm, and (5) ability of the agency to mitigate the risk of harm. Once a risk level is determined, agencies should use this information to determine whether notification to affected individuals is needed and, if so, what methods should be used. OMB instructed agencies to be mindful that notification when there is little or no risk of harm might create unnecessary concern and confusion. It also stated that while the magnitude of the number of affected individuals may dictate the method chosen for providing notification, it should not be the determining factor for whether an agency should provide notification.

Offer assistance to affected individuals (if appropriate)

Agencies should have procedures in place to determine whether services such as credit monitoring should be offered to affected individuals to mitigate the likely risk of harm. OMB instructed agencies that, while assessing the level of risk in a given situation, they should simultaneously consider options for attenuating that risk.

Analyze breach response and identify lessons learned

Agencies should review and evaluate their responses to a data breach, including any remedial actions that were taken, and identify lessons learned, which should be incorporated into agency security and privacy policies and practices as necessary. NIST recommended holding a "lessons learned" meeting with all involved parties after a major incident and periodically after lesser incidents, as resources permit, to assist in handling similar incidents and improving security measures.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IBMsecuritylegalendpoint securityanti-malwareWide Area Networkcybercrime

More about CERT AustraliaIBM AustraliaOffice of Management and Budget

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts