The Convio security breach is in the news again, this time in the New York Times, just in time for the holiday giving season. NTEN members Beth Kanter and Allan Benamer are both quoted, and both raise really important issues that you need to consider.

“This wasn’t the best time for this to happen,” said Beth Kanter, a consultant and blogger. “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.”

Beth's right. The holiday giving season is upon us.  Even if your organization was not affected by this breach, you need to let your stakeholders know what you're doing to protect their data, and proactively help them protect it themselves. Remind your stakeholders about good password policies. Let them know you're looking out for them.

Credo and TechSoup, a nonprofit organization that helps charities with technology, posted notices on their Web sites. Other organizations relied on e-mail messages or letters to inform donors and newsletter subscribers.

In an interview, Mr. Benamer said that was not enough.

“Organizations need to put a notice on their Web sites and contact the traditional media,” he said. “As long as people don’t know what’s happening to them, they can’t defend themselves.”

Allan raises a good point. If your data is breached, when and how do you notify your affected stakeholders? In 33 states, it's not a matter of judgment, it's a matter of law. California's Data Breach law is considered the toughest in the country, stating:

Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person....

For purposes of this section, "notice" may be provided by one of the following methods:

(1) Written notice.

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.

(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:

(A) E-mail notice when the agency has an e-mail address for the subject persons.

(B) Conspicuous posting of the notice on the agency's Web site page, if the agency maintains one.

(C) Notification to major statewide media.

Note that organizations are required to report the breach via written notice -- not just an email -- though I would certainly think that organizations would want to reach out in any way possible, by also emailing, posting it on their sites, and working with the media.

A quick and transparent response is the only way that an organization can keep or regain the trust of its stakeholders, even when the breach is not the organization's fault.

Does your organization have a security breach policy in place?