After-the-Fact Incident Handling as Important as Protection Measures

March 3, 2005
Data breaches are leading public to question and investigate corporate practices

LOS ANGELES, CA - According to ContingenZ Corporation, recent security and privacy breaches in the financial sector are leading consumers and regulators alike to investigate whether or not the affected companies instituted protection measures as claimed and to question whether incidents are taken seriously enough.

Michael Miora, CISSP, an acclaimed expert on incident management and risk reduction, and a previous honoree of Entrepreneur and other magazines, explains, "It is not possible or reasonable to expect that security and privacy protections will be successful 100% of the time. Therefore, it is imperative for a company to plan how it will mitigate the scope of a breach and react quickly to eliminate the exploited vulnerability. The time for this planning is before an incident occurs, not afterwards."

According to Miora, "Poor planning efforts that result in inadequate incident response can exacerbate the effects of the incident and affect the company's reputation even more than the incident itself."

As an example, there was a recent compromise of information held by Georgia-based ChoicePoint, a company which, according to ConsumerAffairs.com and InformationWeek, keeps a massive database of personal information on virtually every American, including information about who we are, what we own, what we owe and even where we go. ChoicePoint initially reported a compromise had put 35,000 California residents at risk for identity theft. It wasn't until later that the company admitted that nearly 145,000 individuals were affected.

Senate Judiciary Committee Chairman Sen. Arlen Specter then announced that the Committee will investigate ChoicePoint and this breach. Miora claims that a proper incident management and response capability that mitigated the risk and provided a faster and better response may have been precluded this investigation.