Security threats and remediation strategies for the public sector
RECORDED WEBCAST |
Institutions of higher education and other public sector organizations maintain a wide variety of sensitive personal data on current and former students, employees, donors, trustees and board members. And whether by means of a network intrusion, routine failures of technology or simple human error, the threat of a data breach exposing this information is real, and the consequences can be devastating.
What is a data breach? It’s an actual release or disclosure of information to an unauthorized individual or entity that relates to a person and that may cause the person inconvenience or harm, such as financial or reputational damage. This can often mean the exposure of personal information like credit card numbers or protected health care information. As for an organization, a breach can mean the unauthorized release of its client data, employee information or intellectual property.
Types of security breaches include the following:
- Improper disposal of data, either paper or electronic assets
- Phishing attacks
- Network intrusion, hacks and malware viruses
- Lost, missing and stolen electronic assets
- Mishaps due to broken business practices
- Rogue employees
What should one do if met with a security breach? Actually, the question is not if but when you’ll likely have to contend with this issue. It is inevitable most organizations will likely be met with this unfortunate circumstance in some form; however, having a response plan in place before the breach occurs can help mitigate the damage. Your data breach response methodology should include a discovery phase weighing the incident, an evaluation phase with a comprehensive forensic investigation and legal review, crisis planning for the short- and long-term, and a review of long-term consequences such as lawsuits, income losses and reputational damage.
In addition, a full risk assessment strategy should be implemented, including a review of current business continuity and disaster recovery plans to assure a data breach incident response plan is integrated within those plans. Periodic vulnerability scans should be conducted as well, along with mock incident response drills to test your plan and tweak where needed. Training of employees is essential as well. Training and communications should include all service levels from vendors and service providers to your own staff and leadership to assure they are all mindful of your organization’s response plan and know their part in the overall strategy. Being mindful of all the regulatory components in connection with securing data is also essential. There are a number of federal laws requiring data protection or privacy protections of organizations and each state has additional legislative requirements. Knowing how each of these laws impacts your business is key.
Lastly, due to the resulting significant costs of a data breach, some businesses have also included breach insurance as part of their plan. Insurance carriers provide expertise in facilitating an effective and efficient response to a breach and can be a critical element to business recovery.
Andrew Obuchowski, Jr., CISM, CISSP, EnCE, QSA, RSM LLP
Andrew is RSM’s national leader in data breach, digital forensics and incident response services. His team provides cutting edge services and solutions for clients in preparation of and response to information security and privacy assessments and investigations.
James J. Giszczak, Esq., McDonald Hopkins LLC
Jim advises clients on responding to security breaches and implementing appropriate data security safeguards. Jim litigates matters involving data security and data privacy, is a frequent speaker and writer in data privacy law, and regularly conducts incident response workshops.
Dominic Paluzzi, Esq., McDonald Hopkins LLC
Dominic advises clients on data privacy and cybersecurity measures, drafting written information security programs and incident response plans, and responding to data security breaches. His industry experience includes education, health care, hospitality, retail and many others.
Paul Nikhinson, Esq., CIPP/US, CIPP/E, Beazley
Paul Nikhinson is a privacy breach response services manager with Beazley. Paul supports Beazley's clients in data breach investigations, assists with privacy risk management and loss control, and helps Beazley respond to the wide range of issues that arise in connection with an actual or suspected data security incident.