How To Deal with a Data Security Breach
Note: This is a part of an online course on Securing Confidential Data.Purpose of This Module
The purpose of this module is to provide you with actionable steps to take in case of a data breach. Do not take action unless you have first notified your supervisor and other critical district personnel.
Steps by Step
- Move quickly to assess what information has actually been compromised or has the potential to have been compromised. If the data was encrypted, you're under no obligation to divulge that it was "stolen." However, if the information is unencrypted--in a spreadsheet or a text file--then you must proceed to step 2.
- Prepare a statement to send to those affected within 24-48 hours of when the loss/theft of confidential data occurred (sample letter appears below). You'll need to advise them of exactly what confidential information was compromised, and, their options to protect against identity theft. Those options are as follows and should be taken as quickly as possible:
a) Notify the Federal Trade Commission at (http://www.consumer.gov/idtheft/) regarding the possibility of identity theft. Phone option #3 provides specific advice on what to do next. b) Place a Fraud Alert: Contact one of the three major credit reporting agencies to complete an automated phone-in fraud alert process. When individuals place a free, seven year fraud alert, that agency will notify the other two agencies. Fraud alerts will then be placed automatically on the individual's accounts at all three agencies.
Contact information for the credit agencies: Equifax (800) 525-6285; www.equifax.comExperian (888) 397-3742; www.experian.com (fraud alert process available online) TransUnion (800) 680-7289; www.transunion.com Once individuals receive their credit reports, they should review them for suspicious activity. If individuals see any accounts they did not open or incorrect personal information, contact the credit agency(s) or the individual's local law enforcement agency (e.g. city police department) to file a report of identity theft. c) Call the U.S. Social Security Administration at (800) 772-1213.
d) Password protect your bank accounts. Work with your bank to have them require the use of a password before any transactions--including withdrawals or deposits--can be made.
e) Take advantage of these resources for Identity Theft victims; the more informed you are, the better! * Better Business Bureau -http://www.bbbonline.org/idtheft/safetyquiz.asp * Identity Theft Resource Center -http://www.idtheftcenter.org/homeland.shtml
- Establish a clear line of communication with those affected through a web site, via email, snail mail, AND by phone. Leave no stone unturned in making folks aware. Make contact in multiple forms several different times. Surprisingly, some people believe that "It just couldn't have happened to me!" It's your job to make sure they understand the consequences of inaction.
- Communicate, communicate, communicate. If you're on the receiving end of angry phone calls for your organization, be sure to acknowledge that it's the organization's fault, accept responsibility (since you are representing the organization) and listen to what they have to say.
Explain exactly what they need to do to address the issue, and what you're doing to help...but the most important thing you can do is listen to what they have to say. Communicate in this case means listening and responding, understanding their frustration is definitely legitimate.
- Schedule several face to face meetings with the folks affected, and offer to cover the cost of the more detailed options available through the credit agencies. Although the credit agencies offer "free" option--although they'll try to get you to pay--if your organization was responsible, then they should be expected to pay for a few months, especially if there is proof that the compromised data has been used.
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure