I have taken about 60 days to publish the final part of this series of article. That is the same delay there was before a public notice was published for the victims of the data breach. Is 60 days a reasonable time for an Examiner to conclude an article? Is 60 days a reasonable time for a serious data breach to be reported to the public when there was no legal reason to delay reporting?
For several days after the discovery and my initial reporting of the data breach back on October 20, 2010, I checked for public notices of the data breach in local newspapers, the Wisconsin Office of Privacy Protection data breach listing, and on the Website’s of the leading not-for-profit organizations that compile and maintain histories of data breaches. There was nothing about the Wisconsin data breach.
After waiting for 10 days, I notified local news outlets, Wisconsin Office of Privacy Protection (OPP) and the others of the data breach. The Wisconsin Office of Privacy Protection contacted the Financial Institution; however, there were repeated delays in getting the breach published on the Website. The Wi OPP notification was published more than 60 days after the breach was discovered.
Local news outlets were unresponsive to the news about the data breach, and the not-for-profit identity theft, privacy, and data breach organizations would not publish the data breach without reference to news coverage, such as a newspaper article—the Catch-22 of data breach reporting.
This situation highlights some common personal and business security issues. Here is what we can learn.
Job applicants should not provide their Social Security number on initial job applications, nor should employers require them to do so until such time that the applicant is being offered employment. The appropriate time to provide an SSn to the employer is on completion of Form I-9, Employment Eligibility Verification, which is required under Federal Law.
What became of the original written applications from which the database was constructed? Are paper applications currently secured or were they properly disposed per the FACT Act Disposal Rule and other applicable state laws.
Privacy and security officers and their equivalents must be readily accessible to employees and consumers to receive input on privacy and security issues. A designated privacy or security officer should be willing to identify him or herself by full name and title, at minimum. They should also be willing to investigate if a privacy or security breach is bona fide or a prank. Unfortunately, the software company’s staff wrongfully assumed the notification discussed in this series of articles was a prank.
Our experience over the years, when contacting financial institutions and requesting to speak with the privacy or security officer, has been dismal. The receptionist or customer service desk either did not know who the privacy or security officer was, or they would not let the caller through even when the purpose of the call was to report a breach.
Data owners (the financial institution in this example) must have third party agreements requiring vendors with whom they share personally identifiable information. This tenet is a best practice and it is a rule applicable state and federal laws. The financial institution is covered under the Gramm Leach Bliley Act (GLBA), among other state and federal laws. The GLBA requires that service providers be in compliance with the law. The (GLBA) Safeguards Rule requires a security officer. The software company did not have an identifiable security officer, which is surprising for a company that received awards from a financial services national association marketing and business development council.
Although the breached database was not a customer database per se, because it was a job applicant database, it is likely that some of the job applicants were also customers of the financial institution. Regardless if the victims were strictly customers under the definition of the GLBA, the financial institution and software company had the responsibility to protect their information.
Organizations should treat all sensitive information with the same reverence as information explicitly protected by federal, state or local laws.
Although the mishandled database may not have been identified as a consumer customer data (although some of the job applicants may have been financial institution consumer customers), the mishandling of the information and the incident reporting raises questions about the security of the financial institution websites that the Software company develops.
A few studies have suggested that many data breaches go unreported. We have asserted that there are thousands of times more unreported data breaches than the few that are reported. The reasons for under reporting is that most organizations lack the systems to detect breaches, many don’t know they have a responsibility to report, and others knowingly avoid reporting to protect their credibility even though almost all states and U.S. Territories have enacted breach notification laws.