Do you remember the Best Western security breach from last year? It is still relevant, in that it illustrated a case of what NOT to do when it comes to reporting a security breach. First, the Best Western hotel chain was quoted in a story that hackers stole eight million credit cards worth roughly 2.8 billion Euros (Times Online).
Columnist Bernhard Warner writes: The Herald, we were also informed, notified the hotel chain before publishing the story. The company thanked the paper for its vigilance and closed the breach…
But then Best Western sends out a self-righteous denial that a security breach ever happened. And a few days after that, the company admits a breach did happen after all, but that only 10 customers from a particular Best Western hotel in Berlin were affected, and that the vulnerability is closed.
Which story are we supposed to believe? Best Western messed this up so badly, even if the second or third version of the story is true, its reputation is going to take a huge hit.
As I mentioned in a Solutions Daily article (Alarming figures on increasing number of IT security attacks a wake-up call for Canadians) the national survey showed that more than 20 per cent of enterprises reported a loss of private data as a result of security attacks and breaches, up from 10 per cent two years ago. Since companies are getting breached all the time, they at least ought to be able to know how to report the incident properly.
For companies facing a data security breach, there are some guidelines on how and when to notify the public (courtesy of the Privacy Commissioner of Canada but there are plenty of other organizations recommending essentially the same thing).
Some highlights from their guidelines on how to report the security breach:
When to notify: Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach. However, if law enforcement authorities are involved, check with those authorities whether notification should be delayed to ensure that the investigation is not compromised.
How to notify: The preferred method of notification is direct – by phone, letter, email or in person – to affected individuals. Indirect notification – website information, posted notices, media – should generally only occur where direct notification could cause further harm, is prohibitive in cost or the contact information for affected individuals is not known. Using multiple methods of notification in certain cases may be appropriate. You should also consider whether the method of notification might increase the risk of harm (e.g., by alerting the person who stole the laptop of the value of the information on the computer).
Who should notify: Typically, the organization that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a third party service provider that has been contracted to maintain or process the personal information. However, there may be circumstances where notification by a third party is more appropriate. For example, in the event of a breach by a retail merchant of credit card information, the credit card issuer may be involved in providing the notice since the merchant may not have the necessary contact information.
Vaclav Vincalek July 9th, 2009 10:01:00 AM