Expert do's and don'ts for dealing with data breaches

Organizations that experience data breaches must move quickly to assuage the fears of their constituents and go beyond expectations to address the situations effectively, according to those most familiar with the incidents.

Speaking at the ongoing Security Standard Conference in Chicago, a pair of experts offered advice for handling situations where sensitive user or customer data is lost or stolen, and examined the missteps taken by retailer TJX Companies in handling its now-notorious credit card information theft.

First to the podium was David Escalante, director of computer policy and security at Boston College, which in March 2005 experienced a break in to a server containing sensitive alumni fund-raising information.

By addressing the situation head-on and moving to inform anyone whose data may have been exposed in the incident -- which was ultimately blamed on a third-party IT services provider that managed the affected system -- Escalante said BC was able to minimize the impact of the event and quickly move on.

"This was probably the low point of my career," said Escalante. "But while it was a bad thing to have happen, it seemed at the time that we were doing the right things to handle it, and I'm glad to say that turned out to be the case."

Less than two weeks after BC discovered the breach, the school had assembled a comprehensive incident response plan and had mailed out 100,000 warning letters to anyone whose data may have been stored in the system.

By aggressively seeking to communicate with its constituents, including setting up phone lines on which its alumni could call and complain about the issue, the school was able to move past the situation and better prepare for any future breach events, he said.

Among the tips that Escalante offered for managing such a crisis was to huddle different organizational officials "like a football team" and loop in everyone from the school's public relations department to its campus police force and IT management groups.

By creating a cross-organizational strategy to handle different aspects of the breach, the administrator said, the school was able to assemble the right mix of people to work on different tasks -- from applying computer forensics to study aspects of the breach itself to aligning the right mix of leadership to oversee the entire response process.

At the same time, it was crucial to establish separation of duties early in the game, Escalante said.

"It's good to keep your upper management separate from your response team because they can get in the way. You want management involved, but you don't want them focusing on every little issue," said Escalante. "At the same time by bringing together a diverse response team, IT and security didn't have to coordinate every issue for themselves."

In addition to seeking legal help from its attorneys, the school was able to communicate effectively with law enforcement officials investigating the incident since BC had already familiarized itself with those people before the breach. On the flip side, when Tufts University experienced a similar issue, administrators at the school called Escalante to seek his advice as they didn't know what to expect from law enforcement agencies, he said.