A recent article on bankinfosecurity.com highlights the personal impact on a CISO of the mishandling of a data breach. Breaches are so commonplace that the reality of a breach itself is rarely cause for a senior executive to resign – unless there was an obvious case of negligence. However, evolving breach notification rules place an emphasis on transparency and immediacy. Failings on either front can put pressure on executives to “own” the breach.
School District CISO quits over data breach
In an article published in February 2022, Bank Info Security reported on a story first uncovered by local broadcaster WFAA in Dallas. The story by Jeremy Kirk details the resignation of a CISO over the handling of a data breach.
“Rajin Koonjbearry was the CISO for the Dallas Independent School District, which is the second-largest public school district in Texas, with 230 schools and 145,000 students. Koonjbearry submitted his resignation by email on Oct. 28, writing that he was “afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility,” according to a scoop by Tanya Eiserer of local broadcaster WFAA.
WFAA also reveals why: The district failed to tell the public that the source for the breach was two of its own students. The news station uncovered the fact through a public records request.
The district had been oblique about the cause of the breach, and it’s unclear why. In its public data breach notification, the district said that “an unauthorized third party accessed the district’s network, downloaded data and temporarily stored it on an encrypted cloud storage site.”
The district’s explanation isn’t on the mark. If students were involved, they would be a first party, not a third party. The district also waited nearly a month before informing the public of the breach and then claimed in a tweet on Sept. 3, 2021, that it believed in “transparency” around it.”
As we’ve said before, in a digitally transformed landscape, data breaches are almost inevitable. The Dallas Independent School District story emphasises the pitfalls that need negotiating following a qualifying breach under the prevailing notification rules. However, not all breaches are qualifying breaches. Even under the strictest of data protection regulations, like the GDPR, if the data is protected by robust encryption, it does not automatically qualify.