Help your users understand what to do if their personal information has been compromised.
College kids will be returning to campus within the next week or two. If I had a child heading back to school (no more tuition payments here!), I'd be disheartened by the news coming out of the University of Wisconsin-Milwaukee. Apparently, the university is investigating a breach that affects approximately 75,000 staff and student Social Security numbers.
According to ZDNet, the names and Social Security numbers were exposed due to a malware attack discovered on a database server (it was immediately shut down upon discovery, the school reported).
Literally five minutes before I saw this news, I sent off an article I wrote about college data breaches, and universally, everyone I spoke with said a breach will happen; in this day in age they are hard to prevent, but how you react is vital. But there is something about this recent UWM breach that really stuck out to me. It wasn't the number of data compromised; it was the time lag. From ZDNet:
The malware is thought to have been installed on May 25th, and local and federal law enforcement were called in to investigate. On June 30th, however, it was discovered that the database containing social security numbers was compromised, also.
Now, I understand why it takes so long. Anyone who has been breached needs to get all of their ducks in a row and have as much information as possible before reaching out to those who may be affected by the breach. And every state is different in the amount of time they have to report an exposure. But look at the dates involved. It's been six weeks since it was discovered that Social Security numbers may have been exposed. That's six weeks where 75,000 people may have had their identities stolen without realizing they had anything to worry about. And according to an article in ComputerWeekly.com, UWM has been criticized for taking so long to get the word out.
That article pointed out that Congress is working on legislation that would mandate a time limit on notification. But not surprisingly, politicians are battling about what that time frame should be and when the countdown should start. Really, it should be a no brainer. If my records were possibly breached, I would want to know right away so I can be proactive in protecting myself. I understand I'm not like everybody else, however, and there has to be a logical process to notification. But really, six weeks is way too long. That's a problem that must be fixed.