George Hulme recently wrote about an anticipated WikiLeaks exposure of Bank of America files and used Bank of America’s attempts to prepare for the disclosures as an opportunity to discuss how to respond to a breach. George writes, in part:
The idea isn’t to bury the news, or prepare executives how to lie, but to proactively deal with any potential reverberations from such a bunker-busting breach as quickly and efficiently as possible.
“When you’ve been hacked, and you know it’s coming, the worst thing to do would be to ignore it,” says Matt Kucharski, senior vice president at the Minneapolis-based public relations firm Padilla Speer Beardsley.
[…]
Kucharski says once an incident is underway, best practice response calls for four strategic prongs: assess, make a plan of action and the execution of that plan, communication, and an evaluation of how the plan went, or is going.
Read more on ThreatPost.
I don’t completely agree with George’s statement that most of the lasting impression isn’t going to be how the breach occurred. I think that when a breach involves a laptop with unencrypted sensitive information being stolen from an employee’s car, the entity’s customers or employees will be left with a negative impression no matter how great the follow-up and communication might be. Perhaps the only thing a company can do in that scenario to win back its users’ fuller confidence is to fire the employee and make it clear that any employee who violates security policies does get fired.
I would add the following recommendations on communication following a breach:
- Be upfront about the number of people affected.
- Be upfront about how the breach occurred.
- Be upfront about when – and how – you discovered the breach.
- Offer the customers free services if the data involved are such that their risk of ID theft or fraud is now increased – however small you think or desperately wish to believe the risk is.
- Those affected do not need false platitudes and reassurance. They need information and solid advice not to take any chances. There is no place for stupid statements like, “We have no evidence to believe that your data have been misused.” Data can first be misused months or even years later. A company’s attempt to downplay the seriousness of a breach in a misguided attempt to protect their reputation may lead to people not taking steps to protect themselves from the increased risk they now face.
- Set up a dedicated phone line with trained professionals to assist people who want to call for more information or help. Have the phone line open on evenings and weekends for the first month after the notification.
- Post a notice on your web site with a prominent link from the home page.
- Don’t be afraid to talk to reporters or bloggers. While we are out to get the story and details, don’t assume that whatever we write will hurt your reputation. If you’re handling things well, you might even wind up with positive press.
So your solution is to find a scapegoat to hang and that is supposed to restore public confidence?
It’s far more important to assess the policies and procedures that allowed such an incident to happen. Who is responsible for making sure that mobile devices are encrypted? The end user? No. The CIO’s office, where there should be an adequately traned and qualified CISO in charge. Who is responsible for training end users on proper security procedure? Who is responsible for setting the policy governing the proper handling and storage of mobile devices?
If an organization has the right policies in place and enforces them, the proverbial stolen unencrypted laptop should never be able to happen. Blaming the hapless employee who had the misfortune to misplace the device is no solution. All it does is deflect the blame from where it belongs: on management.
I was referring to those situations in which management has the right policies in place but the employee violated the policy. Yes, you can argue that management should be ensuring that policies are followed and I agree with that, but really, at some point, if the employee knows he’s not supposed to leave his laptop in his car and leaves it there anyway, he should be fired. And in those situations, that’s what I think the company needs to do and to tell those affected. And if it turns out that the problem was with management, well, then, maybe management needs to be fired.
If the right policies and procedures weren’t in place, then that’s a different story and the focus is on revising policies and procedures to prevent recurrence.