Information Technology Services

CIO Home

ITS Services

Information Security

Wireless Connectivity and Networking

Enterprise Applications

ITS Students Landing Page | ITS Faculty Landing Page | ITS Staff Landing Page

ITS Initiatives

CIO Advisory Board

BGSU IT Policies

Feedback

Contact Us

Office of the CIO-Projects & Strategic Initiatives
Connect December 2007 Security Article

Information Security Breaches

by Thomas Roberts, Information Security Analyst

The state of Ohio information security breach incident provides a great opportunity to remind us of the importance of data stewardship and employing best practices.  Unfortunately, I am among the group of notified state workers at risk for identity theft.  Now speaking from experience, receiving the notice is not enjoyable and it reflects poorly on the sending organization’s data stewardship practices.  Organizations entrusted with protecting large amounts of personal data are reporting exposures of sensitive data, placing innocent people at risk for identity theft. In addition to protecting our own individual sensitive data, we need to be aware and proactive with the responsibility of handling others’ personal information.

Most states have enacted breach notification laws and organizations are required to notify the affected individuals in a timely fashion. Although notification letters usually contain proactive language and a tone of concern, some recipients do respond in anger.


The following comments are provided as examples of responses to an information security breach at another university.


“ Please stop giving my information to identity thieves. I would give you the rest of my contact information, but I am afraid it would be stolen.”


“ If there is a lawsuit, believe me I will happily join it.”


“ How could this possibly happen without utter rank incompetence and a carefree attitude toward data security?”


“ You incompetent (expletives)!  I will never donate another penny to you.”

In the referenced circumstance, those affected were properly notified, however there remains an outrage regarding the organization’s security practices. They also may sever future business relationships. These breach incidents are not only expensive in regard to incident response but can cause long-term damage to an organization’s public reputation.

The Ohio Office of the Inspector General (OIG) report regarding the state breach promotes similar reaction. As with the adage “hindsight is 20/20,” the events that lead to the information breach are preventable.  The following is a sample of identified problems:

  • The breach occurred when a backup tape containing sensitive data of hundreds of thousands state of Ohio employees was stolen from the car of an information technology college intern employee.
  • The college interns were not given specific instructions regarding the care of the backup tapes except to “bring them back” to work the following day. These instructions were even incorporated in the Ohio Administrative Knowledge System (OAKS) Business Continuity Plan published in spring 2002.
  • It is possible the stolen tape may have been discarded in the trash at the apartment complex where the theft occurred. By the time it was reported that the tape contained sensitive information, the trash pickup cycle had occurred. This delay significantly hindered the recovery of the tape.

The backup tape contained sensitive information regarding state of Ohio employees that filed state taxes. The state offered identity theft protection services to the victims. The expected costs are estimated to be in the millions, which will be paid for by Ohio taxpayers.

Appalling as it is, the state of Ohio breach is not unique when compared to other information exposure incidents. Many involve hard-working people, information technology devices, time constraints and the lack of well-understood and viable policies. What start as small problems can compound into large failures.

As information security analysts we are commonly asked to review information technology projects and provide advice regarding security. Our recommendations are based on best practices of confidentiality, integrity and availability of sensitive information. Sometimes our advice is greatly appreciated and other times there can be complaints with our recommendations. The goal is to prevent information security breaches and maintain the public trust. This helps support the academic mission of the University.

With the increased awareness regarding identity theft, many customers are becoming more proactive regarding their personal information. For example, some shred personal financial documents and ask specific questions about how their personal information will be stored and processed. Some customers have taken such a proactive stance that they have become watchdogs for potential information exposures.

Information security breaches are costly and publicly embarrassing no matter how proactive the response letters are written. It is all of our responsibility to prevent information security breaches here at BGSU. Practice good data stewardship habits, help others gain this knowledge and let the public know you take this responsibility seriously. Not only will this proactive stance be refreshing but also it will set a great example for other organizations regarding information security.

For more information about information security and data stewardship visit
www.bgsu.edu/infosec.

Bowling Green State University | Bowling Green, OH 43403-0001 | Contact Us | Campus Map | Accessibility Policy
Bowling Green State University homepage MyBGSU Email Search Directory Academics Admissions The Arts Athletics Library A to Z Links Bowling Green State University