The governor of South Carolina wants the hacker(s) that got away with sensitive information on millions of state's residents slammed against the wall! You can bet that three quarter of the state's residents whose unencrypted social security numbers were stolen, would like to do the same. The bad news is that it looks like the attack came from a foreign country so no slamming is in the cards. Unlike the governor, I suspect that the residents also would like to slam those responsible for protecting their highly sensitive data as more information gets out about the lack of basic safeguards that could've significantly reduced the risk of harm to those affected. I say the chance of finding someone to slam here is better—How about slamming the governor (figuratively speaking of course) as the chief executive and where the buck should stop! Let's face it, when a well-organized hacking group decides to break into a network there's no guarantee that any practical safeguards can stop them but the electronic data that they are after can be better protected using NIST based encryption, for example. This can also qualify the incident for exception from federal and state data breach notification laws. Most hackers, just like fraudsters, look for vulnerable networks and barriers that can be easily breached and lead them to unprotected PII and PHI data.
As a "reactive" response to this devastating data breach incident, the governor has directed all cabinet agencies to immediately designate an information technology officer to work with the state Inspector General to improve the state's information security policies and procedures. Does it always have to take a breach before the decision-makers recognize the need for and prioritize information security? Sadly this is more often the case. This can be said about many companies in the private sector as well. Unlike the banking industry where information security has been a high priority for over a decade, other industries like Healthcare, find themselves under siege and unprepared for the ever increasing cyber attacks. In addition they suffer from traditional security and privacy weaknesses including ineffective employee training, policies and procedures and a lack of incident response planning. Although technology plays an important role in creating and closing vulnerabilities, you can't ignore the human factor.
Halloween is still a few days away but South Carolina residents got tricked into thinking that their information was safe in the custody of their department of revenue. I decided to use the phone number (866-578-5422) provided to the affected residents to get a sense of what their experience will be like when they try to find out more about the situation and to protect themselves. Well, I am afraid that the process will not be too comforting. The automated answering system directed me to the Experian's id protection Website along with an activation code. I opted for the option to talk to a human and I was told by the "automated" system that I should call some other time and was disconnected. I was calling during the hours of operation for the call number according to the machine. The process felt very cold and un-caring and I suspect that the state's reputation will suffer – not only for not preventing the incident in the first place but also for how it is managing its response.
The best time to prepare for an incident is before it happens but you have to convince yourself and your entity that incidents are bound to happen but they don't have to result in a reported breach or a PR nightmare. Building and testing an incident response plan is a very useful investment and practical investment for any entity that collects and shares PII and PHI. How an entity responds to a breach and handles the interactions with those affected is the only opportunity to rehabilitate its image and reputation. This opportunity should not be squandered if the entity truly cares about its customers, employees and reputation.