Knowing that sooner or later, you will need to address a data breach within your organization, fear is not the answer. Proactively preparing yourself and bringing good people into the fold to create the right proactive and response team, is the right solution.
Do you remember the 2015 LifeLock TV commercial where masked robbers smash their way into a bank with baseball bats? Everyone drops to the ground in fear except for a security guard who just stands there. The customers in the bank tell the security guard to do something about the robbers. Still, he explains that he is only there to monitor the bank for robberies, not to do anything about them.
That is what one company felt like recently as it experienced a full-on data breach. The company had a pre-existing IT and security vendor contract for support, but the vendor had no experience with actual data breaches and fumbled through a lackluster response performance. The company reached out to several specialists, including me, looking for assistance in addressing the issue and complying with the plethora of U.S. data breach regulations. I thought it useful to share the experience in hopes that you can avoid a similar fate.
It is one thing to postulate what a data breach might be like, and another thing to live through one. This incident was simple as far as breaches are concerned. The company only has business in the U.S. (think no GDPR!), and it doesn’t operate in a complicated industry such as healthcare. However, the company provides services to federal and state agencies. The company also uses many, many subcontractors to deliver their services, and that means lots of contracts and IRS forms that contain personally identifiable information (PII).
In the early hours of the security incident, we formed an agile response team consisting of:
- Company Chief Executive Officer
- Company Chief Operating Officer
- Company Chief Communications Officer
- An external security advisor
- A digital policy consultant (that would be me!)
Ideally, the team would also have the IT and security vendors on board. Still, given their self-declared monitoring status, we chose to keep them as a separate workstream and perform regular check-ins and status updates instead. We instructed the vendor to preserve all data and analysis for forensics evidence and allowed them to continue their monitoring status.
Starting the notifications chain
We immediately contacted the company’s accounting firm and the bank, with instructions to not allow any withdrawals or wire transfers without an in-person meeting and approval from the company owner. This is a prudent move when you don’t know what has or has not been breached. Even the smartest and best can easily be conned out of money via wire transfers, as we recently saw with Barbara Cochran of the famous Shark Tank show. Taking this step can impede temporary payments, including payroll and vendor invoicing. So we developed communications to ensure everyone received an early heads up about any possible disruptions. A critical point was not to confirm any details of the security breach, but simply inform of potential operational impacts and request for patience.
It is hard to walk the communications tightrope when you don’t have the full picture of what is happening, don’t want to sound unnecessary alarms, but also want to limit the risk and impact to the organization. For us, that meant quickly answering questions, including:
- Where is the issue coming from? Can we remove (even if it just means physically unplug) devices from the network to stop the problem from growing?
- Can the security event be contained by alerting individuals and businesses proactively?
- Do we have a comprehensive list of individuals whose PII may be exposed?
- Do we have any evidence (forensics) to point to the actual access or transfer of PII, or do we simply suspect it?
- Given that the security breach involved phishing attempts with the company’s logo, signatures, and other identifying information, what revisions can we quickly make to email formats that will signal the perpetrators or bot have been removed from the network?
- What information do we have to immediately report the suspected incident via the FBI Internet Crime Complain (or IC3) channel?
We filed the IC3 form, called the local police department to report the suspected crime, and moved on to the next task at hand: giving possible victims a heads up. We chose not to alert the broader community (all customers) until we had more insights on the impact of the breach. For the emails that we sent out, we used language along the lines of “We may have experienced a security incident and as a trusted partner are alerting you to stay vigilant with your security practices. The Federal Trade Commission and other law enforcement agencies recommend…..”. This allowed us to do the right thing without admitting any lapse in security, which may cause legal issues down the road. It also allowed us not to get ahead of ourselves because we didn't have the full picture of what was taking place.
As we dealt with the security incident step-by-step, it became clear that we would not be able to tell exactly what data was compromised in this breach. We would have to notify everyone who could be impacted that the event occurred, and we would have to comply with all relevant laws and regulations as if the PII had been compromised. So, we developed a communications plan for notifying each U.S. state of the data breach as well as individuals who reside in those states.
Getting through notifications and monitoring
Like most companies, my client didn’t know where individuals may have moved to overtime. To get an accurate sense of which states we needed to factor into the notification process, we used all of the individual contact information the company had on file and then ran the data through the National Change of Address (NCOA) database. This allowed us to quickly understand in which states individuals reside and which attorney generals (or equivalent state body) we would have to notify of the security event. All of this took place in a matter of hours since some states require notification of individuals and law enforcement within five days.
When you suffer a data breach and the PII of individuals is or may be stolen, a handful of states require you to provide credit monitoring to those individuals. These include:
- Connecticut (2 years)
- Massachusetts (18 months)
- California, Delaware and North Carolina (1 year)
The other states require notification of individuals about the data breach. Some states require you to explain what happened; some states ban you from doing so. Others request that you notify the notification recipient of exactly how many people have been impacted by the breach, whereas others specifically request that you not do so. In some instances, you can notify individuals of the data breach via email, but most states require a letter. It is beneficial to know that credit monitoring services also offer a letter mailing add-on option, so one vendor can handle all of the notifications for you if you don't want to lick and stamp all of the envelopes in house. My recommendation is to go with such a service since the fee is usually small (about $1-$2.75 per letter) and it preserves your in house staff to worry about other things, including getting operations back on track.
For this project, engaging an external credit monitoring services was relatively straight forward as I already have a working relationship with most providers. That is not the case for many organizations (after all, how often do you need this service?). I advise understanding the market as part of your policy development due diligence, but not necessarily selecting a vendor. And as with any vendor, I always tell clients to go through due diligence. An Experian may not be a good fit for a small business, and more personalized services such as Kroll doesn't always suit the large multinational enterprise.
It is also worth noting that data breaches have become so commonplace that most individuals already have credit monitoring services in place from a previous incident. Thus, it is entirely possible that the people you inform and for whom you secure monitoring services may not activate it after all. Whichever service you choose to engage, consider whether you want to pay for a full package or a per-activation fee. My advice for this project to leverage per-action costs, as I believe it will save money for the company.
Best practices embraced
If you can clean up your contact data and work with a data breach or digital policy consultant to develop your letter templates ahead of time, the engagement with the monitoring services is straightforward and usually flows quickly. For this project, from setup to mailing of letters took several days. This allowed for quick notifications of state law enforcement, in alignment with individual state laws. Note that states differ in terms of their monitoring and expectations. For example, Massachusetts and North Carolina provide online portals for you to report the security incident. Connecticut and Montana request that you send a letter via email. Nebraska requires that you print and mail a form together with a copy of the letter sent to individuals notifying them of the data breach. A few states require a toll-free number that individuals can call to obtain more information about the breach. Some states have unclear requirements and bad websites where you need to decode contact information. I maintain a database with all of these requirements, which made pulling together the plan and instructions easy. The team was able to get through all 50-state notifications in a matter of several hours. Only Massachusetts confirmed receipt. The company was not required to perform any other follow up activities.
Theoretically, the notification letters and state reporting close a company's communication plan around a data breach. In reality, there is always additional communication that such an incident can spawn. Once individuals receive letters notifying them of the breach, they may have questions and call the company. I like to develop a frequently asked questions (FAQ) file for the company to have on hand and answer questions around what happened, how to set up monitoring, and what all of this may mean for individuals going forward. Credit monitoring services offer call support, so it is worth considering. If you have a receptionist and a toll-free number already (most companies do), then this might be a reasonable task to address inhouse since the number of calls tends to be minimal.
There will always be clean up after any data security incident. This includes reviewing your security and data breach policy and protocols, communicating post-incident, and in extreme cases, rebranding to distance your company from the security event. If you did not have cyber insurance before your data breach, you should revisit the need after the event and weigh it with the post-event premium costs. It might be worth obtaining, as I have shared with my client team.
Moving on: Fear is not the answer
Knowing that sooner or later, you will need to address a data breach within your organization, fear is not the answer. Proactively preparing yourself and bringing good people into the fold to create the right proactive and response team, is the right solution. I never want you to have to hit the floor while your security guard simply monitors the situation. Leave that to the LifeLock commercial.
Photo by chuttersnap