State of California Department of Justice’s (DOJ) data breach incident (State of California Department of Justice, 2019).
Using the following matrices to evaluate the disclosure:
Completeness
Timeliness
Management Involvement
How complete was the disclosure? what aspects of breach were disclosed (Threat – threat agent – vulnerability – actual breach – discovery – investigation – impact – remediation)? How timely was the disclosure? Did it provide adequate time references for evaluation (report lag, discovery lag, investigation lag, remediation lag)?Did management involve themselves in the disclosure? (signature of C-suite executives)You may also consider other aspect to evaluate the disclosure
Evaluation of the State of California Department of Justice’s (DOJ) Data Breach Incident Disclosure
Completeness
The State of California Department of Justice’s (DOJ) data breach incident disclosure was relatively complete. It included the following information:
However, the disclosure did not include the following information:
Timeliness
The DOJ’s disclosure was timely. The breach was discovered on April 1, 2019, the investigation began on April 1, 2019, and the disclosure was made on June 10, 2019. This is a relatively short period of time, given the complexity of investigating a data breach.
Management Involvement
The DOJ’s disclosure was signed by Attorney General Xavier Becerra. This demonstrates that management was involved in the disclosure and that they took it seriously.
Other Considerations
In addition to the completeness, timeliness, and management involvement of the disclosure, there are a few other factors that can be considered when evaluating a data breach disclosure:
The DOJ’s disclosure was transparent, accurate, and empathetic. It was written in a clear and concise style and did not contain any technical jargon. The disclosure also explained what steps the DOJ was taking to protect the data of affected individuals in the future.
Overall Evaluation
Overall, the State of California Department of Justice’s (DOJ) data breach incident disclosure was well-written and informative. It was complete, timely, and transparent. Management was involved in the disclosure and the disclosure was empathetic to the affected individuals.
Recommendations
The DOJ could improve its disclosure by including the following information:
The DOJ could also improve its disclosure by providing more specific information about the remediation measures that it has implemented. For example, the DOJ could explain how it is retraining its employees on cybersecurity awareness and how it is strengthening its security measures to prevent future attacks.