Breach Brigade

Breach Brigade - CSO Magazine - February 2004:

When bad things happen to your enterprise, you'll need a team and a process in place to help you survive the hot glare of media scrutiny.

BY TRACY MAYOR
CSO Online

A COMEDIAN ONCE suggested that an executive's only viable option when cornered by Mike Wallace and his 60 Minutes crew is to fall to the floor and feign death. Let them in the door and you're toast; keep them out and you only incriminate yourself in the eyes of judgmental viewers.

These days, corporate security executives can be forgiven for secretly wanting to roll over and play dead themselves. Boxed in on one side by new public disclosure laws and regulations, and on the other by an evermore savvy and sensationalistic press, CSOs increasingly must find successful strategies for responding as their breaches play out in the public arena.

Thankfully, say experts, there are alternatives to chaos and panic when a physical or digital security incident (or both, as seems to have been the case in last August's power grid failure) becomes a matter of public knowledge.

Connie Emery, chief privacy and security officer at Tenet HealthSystem, is one security executive who's been blindsided by a breach and lived to tell the tale. When an internal user error sent confidential patient information to the wrong person, that individual called a local news station rather than the hospital to report the incident, triggering every CSO's worst nightmare.

Letters of the Law
When security has been compromised, containment is the first responsibility of that crack incident-response team you've put together. Simultaneously, the team will also need to determine what information must be disclosed or should be disclosed—and to whom.

On the "must" side of the equation, laws such as California's much-discussed Information Practices Act (SB 1386) increasingly play a part in determining who gets told what and when. (The law requires that companies doing business in California or having customers in the state promptly notify those customers whenever their personal information may have been compromised.)

At the same time, federal legislation is changing the way specific industries operate. In financial services, for example, the Safeguards Rule of the Gramm-Leach-Bliley Act mandates how financial institutions design, implement and maintain safeguards for customer data. Particular sections of the Sarbanes-Oxley Act require companies to audit the controls and processes underlying financial reporting and to disclose in real-time any material events that might impact a company's financial standing.

In health care, the Health Insurance Portability and Accountability Act (HIPAA) has radically changed nearly every aspect of how patient data is collected and handled by hospitals, health-care providers, insurers, doctors' offices, billing companies and others.

"When you have an unauthorized disclosure of patient health information, HIPAA comes into play, and we have to get our HIPAA experts involved," says Anthony Potter, director of security at the Forsyth Medical Center in Winston-Salem, N.C. "In a situation like that, it's in our absolute best interest to be very forthcoming with information. There are criminal penalties attached for not doing so."

During a breach, the last thing you want is to have any member of your response team rummaging through desk drawers or flipping through compliance manuals. To be prepared, make sure at least one member of the team is current on all of your company's legal disclosure obligations. Make sure your legal or compliance colleagues have clearly posted and explained these confidentiality laws to employees (which should also reduce the number of inadvertent breaches); and make sure your company is gathering physical and digital compliance data on an ongoing basis."