Building Trust After a Breach
Educating Consumers About Breach Prevention EffortsBut three recent breach incidents, each involving the loss or theft of back-up drives, illustrate that some organizations are doing a far better job than others in informing consumers about the steps they're taking to prevent breaches.
Maryville Academy Incident
For example, an Illinois childcare agency explained a revised security policy, including the use of encryption, in its website statement about a breach involving the apparent theft of three unencrypted back-up portable hard drives. (See: Breach Incident Triggers Encryption).The statement from Maryville Academy in suburban Chicago explained:
So which approach is best for building trust? And which approach would your organization take? Are you sure?
"All data security policies and procedures have been reviewed and updated, including the maintenance of back-up hard drives. To protect against any future breaches, Maryville Academy has changed the location of its local site and the manner for storing any back-up hard drives and has upgraded the security for this purpose.
"In addition, Maryville Academy is now in full compliance with the U.S. Department of Health and Human Services' recommended procedure of using data encryption to protect clients' health information. Maryville Academy has begun a practice of using specialized security software to completely encrypt all the records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future."
The statement makes it clear that the organization has taken tangible action and explains it in laymen's terms. Not bad for a relatively small organization that experienced a breach affecting about 4,000 youths.
NYC Health and Hospitals Incident
Following another, much larger, recent breach incident, the New York City Health and Hospitals Corp. also posted a statement on its website (See: New York Breach Affects 1.7 Million)In the aftermath of that breach, which involved unencrypted back-up tapes stolen from a truck that was transporting them for secure storage, the organization said:
"HHC has taken immediate measures to prevent a similar situation from reoccurring; has terminated the contract with the vendor responsible for the loss; and has filed a lawsuit against the vendor to hold it responsible for covering all of the costs associated with notifying all affected individuals, and to pay for other damages related to the loss of the data."
Plus, a spokesman acknowledged, when I requested more information, that while the organization had encrypted most of its backup files, the tapes that were stolen had not yet been encrypted. "HHC has been undergoing a multi-year data center consolidation project, which requires the careful transition and transfer of all data backup systems to the new center for storage," the spokesman said. "As part of this process, HHC had to standardize data systems across the hospitals and encrypt all clinical systems backups. HHC has already encrypted more than 80 percent of the data. The (stolen) hospital system files were scheduled for the necessary migration and encryption in March 2011."
Health Net Incident
In contrast, when insurer Health Net posted a statement about a breach that may have affected as many as 1.9 million, it offered no details about its action steps. And a spokesman declined to answer questions. But regulators in several states have issued statements of their own about the incident (See: Health Net Faces Another Investigation).So which approach is best for building trust? And which approach would your organization take? Are you sure?
