Information technology and processing vendor SAIC recently announced on its website www.saic.com that a data security beach placed protected information of about 867,000 individuals at risk for compromise. SAIC (Science Applications International Corporation) is a Fortune 500® company and the contractor for the TRICARE military health program. The affected information, including demographic data, Social Security numbers and some medical information, was stored on an unsecured server at one location, and some unencrypted information was transmitted over the Internet. SAIC indicates that a forensic analysis found no evidence data was compromised, but it acknowledged that the possibility exists.
What may be the most interesting aspect of this particular data breach incident is the manner in which SAIC responded.
In addition to conducting a full internal forensic evaluation of the scope and risks associated with the breach, SAIC is offering one year of free identity and credit protection services from Kroll Inc., New York, to all affected individuals. SAIC estimates the pre-tax cost of services will be $7 million to $9 million, excluding costs for any necessary credit restoration services. While the company’s gesture certainly demonstrates that it is willing to take responsibility for what occurred, it remains to be seen whether the price ticket for this kind of olive branch is something that other companies can stomach.
SAIC also took a hard-line approach to sanctioning those employees responsible for the breach and sent a very clear message to all its employees regarding SAIC’s commitment to maintaining the highest level of security for personal information. In an open letter to the public dated June 20, 2007 , SAIC CEO and Chairman of the Board, Ken Dahlberg, indicates that “a number of employees have been placed on administrative leave pending the outcome of our investigations.” Then, in his companion letter to SAIC employees, also dated June 20, 2007, he writes:
“The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal IT security policies . . . We are working hard to see that this does not happen again, that all comply with policy, and that we all know that failure to comply will not be tolerated….” (emphasis added).
The SAIC incident illustrates several important points. First, it is imperative that entities that handle private health information have clear and effective security policies in place, with appropriate IT backup. Second, these policies and systems should be routinely audited for potential weaknesses. Third, companies need to be properly insured for potential violations. Offering free identity and credit protection may or may not be something an organization wants to consider. And finally, there must be zero-tolerance policy for employees who do not comply with an entity’s privacy and security policies and procedures, and violations must be responded to with quick and appropriate sanctions. Without its employees 100% on-board, an entity’s risk can be as numerous as the number of individuals it employs.