Hypothetically, Here’s How to Respond to a Data Breach
How an organization responds within 72 hours of a data breach can be critical.
Take the case of GlobalMart, a hypothetical Boston-based international company that has had a hypothetically horrendous 2014, ricocheting from one data security crisis to another. The make-believe company and its string of bad luck served as an educational opportunity for panelists at last week’s Professional Liability Underwriting Society (PLUS) conference in Las Vegas.
Here are two takeaways from the discussion: 1. every data breach, like every company, is different and 2. there is more gray than black-and-white in terms of how and when to respond.
While a breach response checklist is long and may differ by organization and situation, the experts seemed to reach a consensus on some basics. At a minimum an organization will want to summon IT and insurance professionals; preserve any evidence; begin an investigation into the incident, damage and cause; figure out what and how to tell customers, employees and the public; arrange for a customer credit or other protection service and weigh when to notify law enforcement — all while keeping the business open to the extent possible.
Katherine M. Keefe, who heads a global breach response team for Beazley Group, said the conversation surrounding data breaches within companies has changed from “if” a breach might happen to “when” it will happen and “what” to do.
“Companies are not in denial,” said Keefe, who moderated the discussion as panelists reacted to poor GlobalMart’s security woes.
GlobalMart’s first incident involved a manager catching a retail store employee fiddling with one of the company’s point-of-sale devises.
Panelists were asked whether GlobalMart should report the incident to the local police.
Jones recommended the company take time to assess the situation before calling in law enforcement. “It could be an innocent event,” he cautioned.
Others agreed, advising that involving police or the FBI right away could hinder the investigation.
“There are issues with involving law enforcement too early,” Lynn Sessions, an attorney with the law firm of BakerHostetler in Houston. “You may lose control of your investigation and information. Police could confiscate evidence. You are then unable to respond to customers.”
Sessions said that while it’s important to report to law enforcement, there is a right time to do that. She recommends waiting until it is clear there was an actual breach.
In the next hypothetical scenario, GlobalMart officials received a call from an FBI agent telling them the FBI had busted a cyber fraud ring. The ringleader of the fraudsters was the owner of the janitorial services used by GlobalMart. The FBI said it found a hard drive containing 17,000 GlobalMart customer and employee records.
This time the question was how quickly GlobalMart should notify customers and employees about the stolen hard drive.
A majority (47) of states have data breach notification laws, according to the National Conference of State Legislatures. These statutes require organizations to notify individuals of breaches involving “personally identifiable” information. But the states’ laws are not uniform; they vary in what constitutes a breach, how they define personal information and in who must be notified and when. Some states say companies must act as soon as possible after a breach, while others set a deadline of 30 days. On top of that, states differ in what information has to be given to customers and employees.
“Every state has different requirements. You need to know that,” said Fred B. Flint, a benefits consultant with Insurity Group, a point stressed by all.
Jones noted that the clock starts ticking from the time of the breach, not when the company learned of it.
Sessions advised that an organization can’t notify “until it is ready,” meaning until it knows four things: “what happened, how it happened, what the company is going to do for victims, and what the company is going to do to make sure it doesn’t happen again.”
A company doesn’t always know who its customers are, where they are, or how to reach them individually. “There are lots of details to get,” said Jeremy Henley, director of breach services for ID Experts out of California.
According to Keefe, it is important for GlobalMart or any organization to control the notification and what is said about the breach to customers, employees and to the public. But she noted this might be a challenge where a vendor caused the breach (which happens in about 30 percent of cases) and the vendor or its insurance is paying for the notification.
Credit monitoring service is typically a part of a response plan. Flint shared a lesson he learned while working a data breach at Tennessee Blue Cross Blue Shield that affected 1.5 million records. The company offered credit monitoring to data breach victims but spent more than it had to. “We paid upfront for credit monitoring for everyone rather than for what was actually used,” he recalled. It turned out that only 15 percent of those offered the service actually used it. The take-up rate was higher among employees than customers.
AIG’s Jones said the good news for employers is that insurance covers the cost of credit monitoring services.
GlobalMart’s nightmare was not over. On October 1, every employee of the firm received an email with a link to what it said was important salary information. The email was bogus. As employees opened it, the phishing email released malware into the company’s system.
The question became what GlobalMart should do regarding investigating the malware.
Henley offered that by this time the company could be suffering from “breach fatigue” given it has had one bad event after another.
“You can’t just throw up your hands and do nothing,” said Sessions. She urged that the company first move quickly to “stop the bleeding” and then begin an investigation as quickly as possible.
AIG’s Jones said that a company has options about how to proceed with a malware investigation. It may do an internal investigation although not all firms have the internal capabilities to do one. In that case, it may turn to an external forensics firm to investigate, which insurance will pay for. But, he said, the best solution often is to combine both internal and external resources.
Some expressed concern about having the same internal employees who allowed the malware to infiltrate the system essentially investigate themselves.
Keefe said the “level of sophistication of phishing emails is amazing” and many look legitimate.
Insurity’s Flint said the incident points up the importance of educating employees and doing random phishing exercises to catch scams.
Sessions agreed that phishing can “fool very smart people” and suggested some employers might want to take a page from the FBI’s playbook. She said the FBI sends three bogus emails to employees over a period of time. An employee who opens the first bogus email gets a warning; if they open the second test email, they get a written reprimand, and, if they open the third, they are fired.
GlobalMart’s troubles continued. On October 8, a blogger requested an interview with the company regarding a rumor that the company had suffered a massive global breach. Two hours later, the firm received an email warning that its website would be hacked.
The question for panelists was whether GlobalMart should speak with the blogger or the press.
Henley said not to talk yet. “We don’t know we have a breach or that we are under attack. We need to get the facts first.”
Keefe agreed. “The natural tendency is to want to tell constituents about something,” she said while reminding that forensic investigations take weeks, sometimes months. “Don’t go out with a ‘half-baked’ story before the forensics are complete.”
In addition to deciding whether to speak and what to say, deciding who does the talking is also important.
Panelists noted that while a public relations manager may be a good choice in many situations, public relations should not be confused with crisis management.
Sessions said if the CEO is good with the media and with crisis management, he or she could be the spokesperson.
But Keefe had a caution. “If you use the CEO first and it doesn’t go well, where do you go from there?”
Jones said the right answer might evolve over time as the situation changes. Maybe the public relations person goes first in the crisis, then later the CEO becomes the spokesperson as, hopefully, the situation improves.
Flint suggested a similar approach, noting that in many companies the CEO gets to talk about the “good news” while PR department handles the crisis stories. If handled well, a crisis can become a positive story and then the CEO gets to tell it.
Keefe said that soon after a breach there is a need to quickly communicate with many constituencies including customers, employees, the public at large, the media, board of directors, analysts and others. She encouraged the use of a crisis management team.
Sessions noted that the communications has to be clear because plaintiff lawyers will pick up any discrepancies between what the public and customers are told versus what the board or investors might be told.
Panelists were asked if GlobalMart should delay its third quarter earnings press release because of the global breach.
Henley said GlobalMart should go ahead and face the controversy head-on while Sessions predicted that the quarterly results would be overshadowed by the breach development at the earnings press conference.
Breach Response Plan
Just as, if not more, important than what an organization does within the 72-hours after a breach is what it does before an incident to establish a response plan.
Beazley’s Keefe advised that every company have a breach response plan that is multidisciplinary, encompassing information technology, legal, insurance, human resources, public relations, forensics, consultants, vendors and other resources and that spells out how to contact these people quickly.
Keefe also said that organizations are looking to their insurance brokers and carriers for guidance on cyber issues.
Flint said there must be “clear accountability” placed on someone to develop and maintain a response plan and there must be clarity on who makes what decisions. A company must know the data breach laws in the states where it operates. In addition, it is important not only to develop a plan but also to practice it, he said.
Henley of ID Experts said a company should have a “checklist of what to do when the house is on fire but do it when the house isn’t on fire.”