Second, as this State Department teleconference briefing details, the system in-place at the State Department included Privacy Act violation warnings to would-be accessers. The lesson? Warnings alone aren't always enough.
Third, the system in-place included alerts that informed supervisors of possibly improper accesses. A good and important feature that we could all use, but --
Fourth, the supervisors who were notified didn't notify their superiors, including the Secretary of State, until three separate violations had occurred.
And therein lies the largest lesson -- one we see again and again in both private and public sector breaches.
The minute you know a breach has occurred is the minute to let the head of the company (or organization) know a breach has occurred. Period.
Whether or not the password breach turns out to be what early reports indicate -- a bonehead move by contractors who a) should've known better and b) should've had more responsibility, if nothing else, to the contractor that employed them -- or an ongoing embarrassment (Passportgate!) it's the mishandling of notification of the breach up the responsibility/public exposure chain that should be the takeaway lesson for everybody whose business includes confidential information stored electronically.
And that's just about all of us.