San Antonio Symphony Gets Hit With A Data Breach

The 2/14/2017 edition of the San Antonio Express-News published an article by David Hendricks that reports on a data breach at the San Antonio Symphony (SAS). According to the report, hackers managed to secure “the names, birth dates, social security numbers and addresses for about 250 employees.”

The data breach, which is thought to have occurred Monday and was discovered that afternoon, didn’t compromise data for donors, season-ticket holders or other patrons, said symphony President David Gross.

“None (of those) were at risk. That information is kept separately and is protected by firewalls,” Gross said. Vendor information wasn’t taken either, he said.

The article also reports that the organization is developing a strategy to deal with the repercussions.

Adaptistration People 206To that end, it’s worth pointing out an article here from 12/18/2014 that provides a great deal of information and resources for developing a Data Security Breach Policy (DSBP). The article explains what a DSBP is, why it is important to have one in place, elements it should contain, and several resources for additional information.

Since that article was published, one of the key resources, the Legislative Language, Data Breach Notification document, is no longer available. It was originally available from under the Obama administration but was removed by the Trump administration. The latter administration has offered no substitute document and given its aggressive position toward swift deregulation, it is difficult to imagine they will champion such a position.

Fortunately, there have been multiple bills calling for a single federal standard for data breach notification based on the most recent Obama era recommendations. As of now, the most recent piece of legislation, H. R. 1770 the Data Security and Breach Notification Act of 2015, is making headway toward becoming a law.

In addition to bills at the federal level, the National Conference of State Legislatures reports at least 26 states introduced or are considering security breach notification bills or resolutions. The organization maintains a list of each and the corresponding status.

Regardless the outcome, arts organizations would be wise to use the recommendations as a template for crafting a DSBP. It is worth noting that H. R. 1770 contains mutually exclusive measures for nonprofit organizations:

 NON-PROFIT ORGANIZATIONS.—In the event of a breach of security involving personal information that would trigger notification under subsection (a), a non-profit organization may complete such notification according to the procedures set forth in subsection (d)(2).



(A) IN GENERAL.—If, after making reasonable efforts to contact all individuals to whom notice is required under subsection (a), the covered entity finds that contact information for 500 or more individuals is insufficient or out-of-date, the covered entity shall also provide substitute notice to those individuals, which shall be reasonably calculated to reach the individuals affected by the breach of security.

(B) FORM OF SUBSTITUTE NOTIFICATION.—A covered entity may provide substitute notification by—

(i) email or other electronic notification to the extent that the covered entity has contact information for individuals to whom it is required to provide notification under subsection (a); and

(ii) a conspicuous notice on the covered entity’s Internet website (if such covered entity maintains such a website) for at least 90 days.

(C) CONTENT OF SUBSTITUTE NOTICE.—Each form of substitute notice under clauses (i) and (ii) of subparagraph (B) shall include the information required under paragraph (1)(B).

In the meantime, the SAS data breach should serve as a strong warning to all nonprofit performing arts organizations about the importance of data security.

About Drew McManus

"I hear that every time you show up to work with an orchestra, people get fired." Those were the first words out of an executive's mouth after her board chair introduced us. That executive is now a dear colleague and friend but the day that consulting contract began with her orchestra, she was convinced I was a hatchet-man brought in by the board to clean house.

I understand where the trepidation comes from as a great deal of my consulting and technology provider work for arts organizations involves due diligence, separating fact from fiction, interpreting spin, as well as performance review and oversight. So yes, sometimes that work results in one or two individuals "aggressively embracing career change" but far more often than not, it reinforces and clarifies exactly what works and why.

In short, it doesn't matter if you know where all the bodies are buried if you can't keep your own clients out of the ground, and I'm fortunate enough to say that for more than 15 years, I've done exactly that for groups of all budget size from Qatar to Kathmandu.

For fun, I write a daily blog about the orchestra business, provide a platform for arts insiders to speak their mind, keep track of what people in this business get paid, help write a satirical cartoon about orchestra life, hack the arts, and love a good coffee drink.

Related Posts