Do You Have A Data Security Breach Policy Yet? (Spoiler: You Should)

In case you missed it, the 12/13/2014 edition of Reuters published an article reporting that the Federal Bureau of Investigation (FBI) has warned U.S. businesses to be on the alert for a sharp uptick in Iranian sponsored hacking activity. A recent Iranian effort, Operation Cleaver, successfully infiltrated military and civil infrastructure systems in the US and given the degree of security measures at many nonprofit performing arts organizations, it is high time to begin considering the concept that a major data breach is not just an academic exercise, but a likely event. Consequently, is your organization prepared with a Data Security Breach Policy?

Adaptistration People 019There are two primary areas your organization needs to be concerned about:

  1. A policy notifying ticket buyers, donors, and anyone else stored in your database affected by a security breach alongside a written policy with steps for limiting the breach and incident analysis.
  2. Verifying the notification policy from your business-to-business (B2B) service providers that either directly manage or have access to your database records.

In order to make sure everyone is on the page here, a security breach is generally defined as:

  • hackers gaining access to data through a malicious attack.
  • lost, stolen, or temporary misplaced laptops, mobile devices, portable storage drives, etc. that stores personal or sensitive data.
  • employee negligence (creating weak passwords, leaving a password list in a publicly accessible location, IT staff members incorrectly configuring a security service or device, etc.).

The Federal Government maintains an extensive list of definitions along with guidelines for notification in a document titled Legislative Language, Data Breach Notification.

Keep in mind, you’ll need to verify this process with your respective legal counsel in order to make sure your policy conforms to any state and/or local data breach notification requirements but in general, the last thing you want to do is attempt to keep a breach quiet or simply ignore it assuming someone else will adequately address the incident response process.

In 2012, The American Bar Association published a document titled Hogan Lovells’ Model Data Security Breach Preparedness Guide that contains a detailed overview of measures you should consider for containing and analyzing a breach along with steps for notifying law enforcement and affected individuals. Although slightly dated, it is still an excellent guide that covers not only internal processes but B2B relationships.

Another worthwhile resource, albeit from 2012, is the Data Breach Response Checklist from the US Department of Education (DoED). If you entering this topic from square one, it is an excellent resource for walking through each critical element related to why you need a policy and what it should include all in an organized checklist format.

One piece of advice from that document worth highlighting here is making sure your organization has assigned an Incident Manager to take a key leadership role within an incident response process. If, at your next senior staff meeting, the question “who is our data breach incident manager” produces audible blinking, you might have a problem. Likewise, don’t dump the responsibility onto the shoulders of a mid to entry level IT employee just because it deals with something techy; instead, and as the DoED document points out, this role should be become the duty and responsibility of a VP/Director level employee.

B2B Connections

With the rise in popularity for cloud based data storage systems, performing arts organizations need to be doubly careful about the B2B data security breach policies in place with their providers; especially those providing Customer Relationship Management (CRM) and Box Office/Ticketing services. For the orchestra and opera fields this includes Tessitura, Ticketmaster, SalesForce, Choice Ticketing, Paciolan, Choice Ticketing Systems, and an increasing host of additional providers.

Tip: don’t overlook some of the increasingly common data analysis/mining firms that maintain complete access to your patron database records, including telemarketing providers.

If your web provider syncs user data with your CRM/Ticketing systems or provides any direct e-commerce functionality, you need to include them in the mix as well. As an example, here’s a copy of the B2B notification policy that is part of the Terms of Service from my managed web service for performing arts orgs and artists, The Venture Platform:

5.e. Should THE VENTURE PLATFORM determine that there has been a security breach that has compromised your account we agree to notify you as soon as reasonably possible but only after we have investigated the breach and fulfilled our legal obligations under applicable law.

Given that the last week of December can be a good time to catch up on odds and ends, add a to-do item for checking with your B2B providers about their data breach policies and make sure that they adequately address your concerns.

About Drew McManus

"I hear that every time you show up to work with an orchestra, people get fired." Those were the first words out of an executive's mouth after her board chair introduced us. That executive is now a dear colleague and friend but the day that consulting contract began with her orchestra, she was convinced I was a hatchet-man brought in by the board to clean house.

I understand where the trepidation comes from as a great deal of my consulting and technology provider work for arts organizations involves due diligence, separating fact from fiction, interpreting spin, as well as performance review and oversight. So yes, sometimes that work results in one or two individuals "aggressively embracing career change" but far more often than not, it reinforces and clarifies exactly what works and why.

In short, it doesn't matter if you know where all the bodies are buried if you can't keep your own clients out of the ground, and I'm fortunate enough to say that for more than 15 years, I've done exactly that for groups of all budget size from Qatar to Kathmandu.

For fun, I write a daily blog about the orchestra business, provide a platform for arts insiders to speak their mind, keep track of what people in this business get paid, help write a satirical cartoon about orchestra life, hack the arts, and love a good coffee drink.

Related Posts

2 thoughts on “Do You Have A Data Security Breach Policy Yet? (Spoiler: You Should)”

Leave a Comment