Anyone watching the news over the past years and several months has heard about major data breaches at the federal government, Sony, Anthem, and Target Stores. Data breaches are often big news.
But data breaches can occur in small places too. Oldham County, Kentucky, is located twenty miles northeast of Louisville. Some of Louisville's most remote suburbs are located there, but much of the county is rural. In 2010, only 60,000 people lived in the county, along with 4700 horses. North Oldham County High School is located in Goshen, Kentucky, a town of less than 1000 people. In September, a food service employee at North Oldham High School noticed that something was wrong with her work computer after clicking on a link sent in an email. She had tried to access the Internet and go to a particular website, but her browser took her to a different site instead. She called the school technology coordinator, and the coordinator found that there was an issue and notified the IT staff with the school district. The school district conducted an investigation and learned that an intruder had, in fact, gained access to the computer. Housed on the computer was a database consisting of the names, telephone numbers, Social Security Numbers, and dates of birth of approximately 2800 current and former students.
A spokesperson for the school district said, "This can happen any day, to anybody. It's not an uncommon kind of scam." The investigation involved school district staff, the staff of the software supplier, other computer experts, and the legal teams for both the district and the Kentucky Department of Education. Ultimately, it was decided that a breach had occurred. The school district sent letters to each of the 2800 individuals notifying them of the breach and offering them advice as to how to protect their identity going forward. It gave notice to the three major credit bureaus. The district also set up a dedicated email address and gave a telephone number for those affected to call with questions. The district also said that it would improve its systems going forward.
The cost of such an intrusion can be extensive. They can easily extend beyond the immediate cost of fixing the technical problem. There are the embedded expenses of counsel, providing notice to affected persons, costs of forensic work, the time lost to deal with the situation, and other costs. If the district did not have cyber-insurance coverage, then the costs to the bottom line for the district (or to any small business that experiences a similar intrusion) would be immense.
Faruki Ireland & Cox has extensive experience handling potential data breach situations large and small, and we can help you to review and improve your systems and security before a breach happens.