The leading experts in campus-wide payment solutions to independent schools.

Blog

The First 24 Hours After a Data Breach

Last week, two schools announced that their private data had been breached. This begs the question: What needs to happen in the 24 hours after a data breach? Our team reached out to Coalfire, a company who provides risk assessment and testing on information security, and discussed the “what if” situation.

data breach

Planning

“The vast majority of organizations that suffer data breaches do not self-detect them,” said Coalfire Managing DIrector Joe Krause. “Law enforcement, credit card companies, and other agencies often identify an issue first.”

Target’s recent data breach during the holidays is an example of this, as their internal team was alerted from an external source. As a school, there are plenty of different forms of private data that could be of interest to a less than favorable character (social security numbers, financial information, addresses, etc.).

With so much information under your supervision, it’s important to have a plan in place to prepare for such a situation. “Schools need to have a proactive measure, an incident response plan,” said Krause.

The First 24 Hours

When data is breached, your plan should immediately be enacted. There are legal obligations, law enforcement obligations, and someone who represents the school needs to make an announcement. Each state has their own privacy laws, so it’s important to include these legal obligations in a response plan. Further, if law enforcement didn’t contact you about the breach, it’s important to loop them in so a proper investigation can occur. “If not trained, it’s very easy to contaminate the crime scene. Everyone involved needs to be very careful,” said Krause.

After obligations have been met, someone, traditionally a business executive, makes an official announcement about the situation. The announcement often includes when it happened, who identified  the issue, who will be affected by it, what is being done to solve it, and proactive approaches the affected parties can take to reduce any negative impact.

Many schools also offer a dedicated resource line so that concerned parties can seek out additional information or support to help monitor their information. Further, many organizations offer some sort of service for a year that allows the affected parties to monitor their financial information and also alert the credit agencies. Krause also suggests that consumers can be proactive by monitoring their credit scores and being vigilant.

Interested in how your school can be more secure?