In case you missed it, the 12/13/2014 edition of Reuters published an article reporting that the Federal Bureau of Investigation (FBI) has warned U.S. businesses to be on the alert for a sharp uptick in Iranian sponsored hacking activity. A recent Iranian effort, Operation Cleaver, successfully infiltrated military and civil infrastructure systems in the US and given the degree of security measures at many nonprofit performing arts organizations, it is high time to begin considering the concept that a major data breach is not just an academic exercise, but a likely event. Consequently, is your organization prepared with a Data Security Breach Policy?
There are two primary areas your organization needs to be concerned about:
- A policy notifying ticket buyers, donors, and anyone else stored in your database affected by a security breach alongside a written policy with steps for limiting the breach and incident analysis.
- Verifying the notification policy from your business-to-business (B2B) service providers that either directly manage or have access to your database records.
In order to make sure everyone is on the page here, a security breach is generally defined as:
- hackers gaining access to data through a malicious attack.
- lost, stolen, or temporary misplaced laptops, mobile devices, portable storage drives, etc. that stores personal or sensitive data.
- employee negligence (creating weak passwords, leaving a password list in a publicly accessible location, IT staff members incorrectly configuring a security service or device, etc.).
The Federal Government maintains an extensive list of definitions along with guidelines for notification in a document titled Legislative Language, Data Breach Notification.
Keep in mind, you’ll need to verify this process with your respective legal counsel in order to make sure your policy conforms to any state and/or local data breach notification requirements but in general, the last thing you want to do is attempt to keep a breach quiet or simply ignore it assuming someone else will adequately address the incident response process.
In 2012, The American Bar Association published a document titled Hogan Lovells’ Model Data Security Breach Preparedness Guide that contains a detailed overview of measures you should consider for containing and analyzing a breach along with steps for notifying law enforcement and affected individuals. Although slightly dated, it is still an excellent guide that covers not only internal processes but B2B relationships.
Another worthwhile resource, albeit from 2012, is the Data Breach Response Checklist from the US Department of Education (DoED). If you entering this topic from square one, it is an excellent resource for walking through each critical element related to why you need a policy and what it should include all in an organized checklist format.
One piece of advice from that document worth highlighting here is making sure your organization has assigned an Incident Manager to take a key leadership role within an incident response process. If, at your next senior staff meeting, the question “who is our data breach incident manager” produces audible blinking, you might have a problem. Likewise, don’t dump the responsibility onto the shoulders of a mid to entry level IT employee just because it deals with something techy; instead, and as the DoED document points out, this role should be become the duty and responsibility of a VP/Director level employee.
With the rise in popularity for cloud based data storage systems, performing arts organizations need to be doubly careful about the B2B data security breach policies in place with their providers; especially those providing Customer Relationship Management (CRM) and Box Office/Ticketing services. For the orchestra and opera fields this includes Tessitura, Ticketmaster, SalesForce, Choice Ticketing, Paciolan, Choice Ticketing Systems, and an increasing host of additional providers.
If your web provider syncs user data with your CRM/Ticketing systems or provides any direct e-commerce functionality, you need to include them in the mix as well. As an example, here’s a copy of the B2B notification policy that is part of the Terms of Service from my managed web service for performing arts orgs and artists, The Venture Platform:
5.e. Should THE VENTURE PLATFORM determine that there has been a security breach that has compromised your account we agree to notify you as soon as reasonably possible but only after we have investigated the breach and fulfilled our legal obligations under applicable law.
Given that the last week of December can be a good time to catch up on odds and ends, add a to-do item for checking with your B2B providers about their data breach policies and make sure that they adequately address your concerns.