If you have been following the non-Sandy news this week you’ve probably heard of the South Carolina Department of Revenue data breach involving 3.6 million people dating back decades. Needless to say, it wasn’t a good day for the state. In typical fashion, the press conference was scheduled on a Friday and the response has been chaotic – but don’t worry I heard the phone wait time is now down to 10 minutes, from 12 minutes #sarcasm. The governor has made some interesting comments involving the details of the breach which are now coming under fire. One of those comments was about the state’s lack of encryption:
“The governor’s comments reflect unawareness of data security practices and are not at all reassuring,” network security Avivah Litan told Computer World.
Litan was referring to Haley’s claim that South Carolina was following “industry standard” practices when it failed to encrypt Social Security data that was stolen earlier this year by hackers presumed to be affiliated with an Eastern European crime syndicate.
She is not making her job any easier by trying to explain away the states lack of preparedness and proper info security.
“The best time to prepare for an incident is before it happens but you have to convince yourself and your entity that incidents are bound to happen but they don’t have to result in a reported breach or a PR nightmare. Building and testing an incident response plan is a very useful investment and practical investment for any entity that collects and shares PII and PHI. How an entity responds to a breach and handles the interactions with those affected is the only opportunity to rehabilitate its image and reputation. This opportunity should not be squandered if the entity truly cares about its customers, employees and reputation.”