As discussed last month The Irish Blood Transfusion Board suffered a security incident whereby a CD containing encrypted information on blood donors was stolen in New York City.  This was the first major publicly reported data loss incident that we have seen in Ireland.  As promised in earlier posts, now that the dust has settled I would like to highlight some of the key lessons learnt from this incident.  Hopefully these lessons can be applied to your own situation to ensure that your next incident can be handled well.

Lesson 1 – Know Where Your Data Is.
Careful thought went into the process of sending the CD to New York in the first place and it was evident that the IBTS clearly knew what data was on the lost CD and who it impacted.  When the CD was lost the IBTS knew exactly the potential impact of the loss.

If you do not know where your data are then you will spend a lot of time in your incident handling trying to determine what the impact of the incident is.  Time better spent dealing with the actual incident itself.  Remember that in an incident time can be your biggest enemy and it is a very finite resource so spend it wisely.

Lesson 2 – Protect Your Data
Knowing where you data lies is one part of the puzzle.  Ensuring that data is adequately protected given where it is located is another part.  If you have sensitive data resting on insecure media and devices then you need to ensure it is properly protected by using strong encryption techniques.  If you are exchanging data with a third party then make sure you do so in a secure manner and one that is in compliance with the Data Protection Act.  This is especially true when sending personal data outside the state and/or the EU.

Lesson 3 – Have Alerting Mechanisms in Place
You need to ensure that you have appropriate alerting mechanisms in place to warn you when a potential incident is occurring.  These alerts can come from your security, system and network logs.  You should also ensure you have mechanisms in place that allow staff to know how to report and incident.  If dealing with third parties ensure that you have clear guidelines in place for them to report to you in a timely manner if they have suffered a breach that can impact on your organisation. 

It is not clear if a formal arrangement was in place between the IBTS and the supplier in this particular case.  However, it is worth noting that the incident took place on February the 7th in New York and the IBTS were made aware of it the next day.  Given time zone differences then this is a good response.  (Thanks to Owen O’Connor for pointing out the timing to me).

Lesson 4 – To Disclose or Not To Disclose
Currently there is no legislation within Ireland to obligate an organisation that suffers an information security incident that exposes personal information to publicly disclose the fact, an issue that we have commented on before.  The IBTS have to be commended on the way they decided to disclose in such a timely and open fashion.

The decision to disclose is a contentious one for many companies, especially as they are not obliged to.  But perhaps this decision is one that should be made before the incident occurs?  If your organisation was to suffer an incident today would you know what the policy is regarding disclosure?  Do you need to get legal advice on your disclosure policy?  If so, best to do that now rather than before the incident occurs.

Lesson 5 – Communication 
One of the most valuable items that can be damaged during an incident is your organisation’s reputation.  If the incident is handled badly then your organisation’s profile can be negatively impacted.  Don’t forget that your professional reputation could equally take a nose dive if associated with a particularly bad response. 

However the opposite is also true.  A well handled incident can maintain and in some cases enhance an organisation’s reputation.  Key to achieving this is ensuring that open and honest communication is given to interested parties, be they customers, staff, press, shareholders or the public in a timely manner.  You need to bear in mind that you should communicate only what is necessary and appropriate given the stage of the incident response.  You do not want to release information that may be crucial to a criminal case, that should have been released internally before going public or indeed could tip off the attacker(s) as to what stage of the response you are at.

To this end it is important to have properly trained personnel who deal with press and the public on a regular basis.  Make sure that only authorised people talk to the press and that those people have had the proper training and information to hand.  Trust me you do not want your techie geek to be cornered by a seasoned journalist.  It was impressive in the case of the IBTS that their CEO was quickly on the radio explaining the situation in a calm and open manner.  The press release from the IBTS was also very good in providing the required information.

What is also impressive is that the IBTS within a very short time frame had sourced a supplier to handle the postal notifications to each of the over 170,000 people impacted.  How would your organisation handle notifying all its customers in a timely fashion?

Lesson 6 – Learn from Incidents
While this incident was handled very well, you should always review how the incident was handled and see how things could be improved.  Always look to see how management handled the situation, were the right people involved to make the appropriate decisions?  If not then close that gap.  Did all the processes work as they should?  If not then what could be improved?

One last piece of advice, don’t wait for an incident to happen within your organisation to learn where the problems are.  Regularly test your IR plan to see if there are gaps in roles, responsibilities, processes and tools.  Also try to learn from how other organisations handled incidents, both the good and the bad, and see if you can apply the lessons learnt from them to yours.