The 2/14/2017 edition of the San Antonio Express-News published an article by David Hendricks that reports on a data breach at the San Antonio Symphony (SAS). According to the report, hackers managed to secure “the names, birth dates, social security numbers and addresses for about 250 employees.”
The data breach, which is thought to have occurred Monday and was discovered that afternoon, didn’t compromise data for donors, season-ticket holders or other patrons, said symphony President David Gross.
“None (of those) were at risk. That information is kept separately and is protected by firewalls,” Gross said. Vendor information wasn’t taken either, he said.
The article also reports that the organization is developing a strategy to deal with the repercussions.
To that end, it’s worth pointing out an article here from 12/18/2014 that provides a great deal of information and resources for developing a Data Security Breach Policy (DSBP). The article explains what a DSBP is, why it is important to have one in place, elements it should contain, and several resources for additional information.
Since that article was published, one of the key resources, the Legislative Language, Data Breach Notification document, is no longer available. It was originally available from whitehouse.gov under the Obama administration but was removed by the Trump administration. The latter administration has offered no substitute document and given its aggressive position toward swift deregulation, it is difficult to imagine they will champion such a position.
Fortunately, there have been multiple bills calling for a single federal standard for data breach notification based on the most recent Obama era recommendations. As of now, the most recent piece of legislation, H. R. 1770 the Data Security and Breach Notification Act of 2015, is making headway toward becoming a law.
In addition to bills at the federal level, the National Conference of State Legislatures reports at least 26 states introduced or are considering security breach notification bills or resolutions. The organization maintains a list of each and the corresponding status.
Regardless the outcome, arts organizations would be wise to use the recommendations as a template for crafting a DSBP. It is worth noting that H. R. 1770 contains mutually exclusive measures for nonprofit organizations:
NON-PROFIT ORGANIZATIONS.—In the event of a breach of security involving personal information that would trigger notification under subsection (a), a non-profit organization may complete such notification according to the procedures set forth in subsection (d)(2).
[…]
(d)(2) SUBSTITUTE NOTIFICATION.—
(A) IN GENERAL.—If, after making reasonable efforts to contact all individuals to whom notice is required under subsection (a), the covered entity finds that contact information for 500 or more individuals is insufficient or out-of-date, the covered entity shall also provide substitute notice to those individuals, which shall be reasonably calculated to reach the individuals affected by the breach of security.
(B) FORM OF SUBSTITUTE NOTIFICATION.—A covered entity may provide substitute notification by—
(i) email or other electronic notification to the extent that the covered entity has contact information for individuals to whom it is required to provide notification under subsection (a); and
(ii) a conspicuous notice on the covered entity’s Internet website (if such covered entity maintains such a website) for at least 90 days.
(C) CONTENT OF SUBSTITUTE NOTICE.—Each form of substitute notice under clauses (i) and (ii) of subparagraph (B) shall include the information required under paragraph (1)(B).
In the meantime, the SAS data breach should serve as a strong warning to all nonprofit performing arts organizations about the importance of data security.