Big Data can mean big risks.
New sophisticated data collection and analysis tools can unlock amazing insights into customer habits and other business imperatives, but they can also create problems, since the massive amounts of information could be maliciously plundered by hackers or compromised by absent-minded employees.
Experts say a breach is no longer a question of if, but of when, and just as much focus needs to be placed on what should happen after data is comprised as it is in trying to prevent a breach.
“You need to do something right away,” says Thomas Zeno, of counsel for law firm Squire Sanders with 25 years of experience in the U.S. Attorney's Office for the District of Columbia. “In this environment, where privacy is becoming more important and a focus of government, individuals, and shareholders, you have to move quickly. You have to investigate, figure out what the requirements are, and fix things.”
An initial step is to determine how the breach occurred, says Ken Stasiak, CEO of SecureState, a management consulting firm specializing in information security.
Nearly 90 percent of the time, companies discover that a breach occurred from external entities, not in-house detective work, Stasiak says. The payment card industry, for example, may detect that credit cards were compromised before the issuer or a retailer does. “In other instances, outside customers, white hat hackers, and the media can end up informing them of the breach,” he says.
Once notified, a company should execute an incident response program, outline the activities that need to be followed, and delineate responsibilities.
“You have to have a plan in place, so you are not trying to invent one the morning a breach is discovered,” Zeno says. “You need to prepare in advance and make reasonable preparations for what is, unfortunately, a high likelihood. You've got to get the team together.”
That team cannot be limited to just the CIO or IT department. “We highly recommend getting C-level people involved in the breach discussions,” Stasiak says. He says the perception may be that the IT group was responsible for the breakdown of controls, so it may try to underplay the impact, which could lead to additional problems down the road.
Next, companies should follow a process of: identification (what caused the breach); containment (plugging the holes in the system); and remediation (following a plan to not only fix the problem, but make sure it doesn't happen again).
Whom to Notify?
Zeno suggests that media liaisons also be brought in to aid with the public disclosure process and field inevitable media inquiries. That also leads to a crucial question: Whom do you tell, and when? When is a breach large enough or damaging enough to warrant disclosure to consumers and regulators?
“You have to have a plan in place, so you are not trying to invent one the morning a breach is discovered.”
—Thomas Zeno,
Of Counsel,
Squire Sanders
“Depending on what industry you are in, or what state you are in, your reporting requirements may differ,” says Craig Spiezle, executive director and president of the Online Trust Alliance, a global non-profit organization that promotes online security. “There is reporting to regulatory authorities at the state and federal level, potentially reporting to law enforcement, and ultimately to end users who may be affected. For example, under the Health Insurance Portability and Accountability Act, the threshold that triggers notification is 500 people.
If you do business abroad, there are other disclosure requirements to be aware of. Starting this past August, companies doing business in the European Union, or that have customers there, are required to notify authorities within 24 hours of a data breach discovery.
While many companies see such mandates as unrealistic, Spiezle thinks they may have themselves to blame because many have traditionally done their best to keep breaches quiet for months, prompted to disclose them only once regulators of the media discovered them.
The good news, he says, is that, working with regulators may not always be confrontational. “If someone wants to break into your home they will break into your home,” Spiezle says. “Regulators recognize that and are not going after a business that is victimized. But they want to go after a business that has failed to take reasonable steps.”
EU officials have similarly said they understand that a company may not immediately know the nature or extent of a breach. “But they at least want you to say that you had one,” Stasiak says. “They don't expect you to have all the forensics done.”
Zeno warns, however, that companies also have to realize that regulators may not limit penalties to cases of actual damages suffered by customers. In recent cases, they have fined companies, even if customer data wasn't directly compromised after a breach, on the basis of “unjust enrichment.” In other words, the company unjustly profited at the expense of customers by holding onto funds that should have been spent on security.
“When it comes to disclosing information to the public it's pretty much Crisis Management 101,” he adds. “You need to be transparent and empathetic about the issue.”
What to Say After a Breach
The following is a sample letter offered by the Online Trust Alliance for going public with a data breach.
Dear [Name of User or Patient]:
I am writing to you with important information about a recent breach of your personal information from [Name of Organization]. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:
(Describe event and include the following):
1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
2. A description of the types of unsecured information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved).
3. Steps the individual should take to protect themselves from potential harm from the breach.
4. A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
5. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, Web site, or postal address.
Optional Considerations:
To help ensure that this information is not used inappropriately, [Name of Organization] will cover the cost for one year for you to receive credit monitoring.
We take very seriously our role of safeguarding your personal information and using it in an appropriate manner. [Name of Organization] apologizes for the stress and worry this situation has caused you and is doing everything it can to rectify the situation.
We have established a toll-free number to call us with questions and concerns about the loss of your personal information. You may call [Insert Toll Free Number] during normal business hours with any questions you have.
We have also established a section on our Web site with updated information and links to Web sites that offer information on what to do if your personal information has been compromised.
Source: Online Trust Alliance.
“Being defensive about a breach is fatal to public acceptance,” Stasiak adds. He says Adobe, for example, poorly handled its response to a breach of the data for 38 million customers. Its initial “no comment” is the sort of thing that irritates both the public and regulators, and prompts the security industry to attack them for not responding or placing a priority on securing their systems, he says.
There should be post-breach opportunities to perform an autopsy of what happened and take steps to assure, to the extent possible, that it doesn't happen again. “Lessons learned is a key component to any incident response program,” Stasiak says. This should entail working with technology and security experts, in-house and external, to develop a remediation roadmap.
Raising Employee Awareness
Spiezle, who worked with Microsoft for 14 years before joining OTA, says there has been a transformation in how companies view security. It is more frequent now for them to commit to security audits and, when new products or services are developed, to bring security issues into those brainstorming sessions right from the start.
Just as a compliance officer may push a code of conduct or anti-corruption training down to individual employees, security matters also need to be everyone's responsibility. “It needs to be embedded in the DNA of a company,” he says. “Everyone's job is to be thinking about these things. The larger corporations are doing more employee awareness training to raise that visibility.”
Companies are also, unlike in the past, increasingly willing to share information about the breaches they suffered with peers and competitors, often at conferences and trade shows.
“Ultimately you are not only judged by what you did or didn't do, but if all your competitors are having the same problem,” Spiezle says. It is important to work together and share breach information to stave off additional regulatory action that, ultimately, will “stifle innovation and erode consumer trust.”
No comments yet