In the years that I have been helping companies deal with data breaches, some things have changed. Mainly, this has been the size and volume of the breaches, the severity of the impact, and the extent of the damage to consumer trust, together with the pioneering of class action lawsuits against name-brand companies like Honda, Sony, Ameritrade, and Aetna in connection with alleged data breaches.
In recent days, we’ve seen hits on big financial institutions such as Citibank, payroll service companies such as ADP, the International Monetary Fund, the CIA, defense contractor Lockheed Martin, and of course, Sony Playstation, where an alleged breach compromised the personal data maintained on some 100 million customer accounts, reportedly costing the company in excess of $170 million. If anything, the pace of attacks is accelerating. Yet preparedness in most companies whose systems hook into the Internet (and isn’t that essentially everybody?) continues to lag.
Some of this is understandable. Few companies actually know exactly what data they have, where it is “from,” where it is “going,” who is responsible for it, and what its authorized uses are. These may seem like obvious requirements, but in practice, undertaking a data audit can be an extensive, expensive exercise, especially for companies whose customers or staff operated in more than one country. It’s worth doing such an audit, but they can take time. While an audit is in mid-stream, there are still things a company can do to prepare for the possibility that one of its systems somewhere will be breached, and that it may not immediately know just how bad the breach is.
The most basic tool is having a crisis management plan in place that covers the risk of breach. In practice, a data breach generally requires the simultaneous skill and cooperation of security, legal, audit, and communications professionals, working as an integrated team and able to report and make recommendations promptly to the CEO and board of directors. Having protocols developed ahead of a breach will help. And these need to include scenario planning, and ideally, simulations, so that those involved have been through the drill to see what works and what does not ahead of an actual crisis.
While it may be obvious that a company that has had a breach needs to have a spokesperson designated to answer questions from the media, communications also need to take place in a sequenced fashion with relevant government officials, customers, business partners, service providers such as payments processors and financial institutions, and one’s own employees – potentially in many countries. Questions and answers and fact sheets regarding the breach will be needed (often with little time to prepare them), along with the elements of a mitigation plan to protect those who are at risk as a result of a compromise. Doing this on the fly is at best a suboptimal path to protecting a company’s reputation with the people who are most important to its future.
A lot of this can be pre-positioned by a company’s communications professionals and general counsel’s office working together ahead of a breach, and then tailored to address the actual facts of a breach should it take place. But every breach has its own idiosyncratic elements, and no set of scenarios is likely to anticipate every element of the actual crisis.
In reality, when a crisis hits, you can’t assume you will have all of the information you need, that the information you think you have is accurate, that you will be able to get that information to your key people at the same time, or even in time, and that the external environment will be friendly, sympathetic, predictable or fair. Some of what can go wrong will go wrong. There’s probably at least a 50-percent chance of the toast landing butter-side down when it hits the floor.
Given this reality, a company should have someone “in charge” of data breaches ahead of time to act as the fulcrum for managing the crisis if it happens. Usually, this will be the general counsel or their designee. But as lawyers take over, it’s vital to accompany the legal decisions with a communications plan for both internal and external messaging. What is said, and when, will inevitably have a substantial impact on how the breach is perceived by everyone affected – from regulators and attorneys general to employees, customers and plaintiffs’ lawyers. So a communications professional should be integrated into the team from the outset, with what will be said to whom treated as an issue that is as fundamental as getting the breach plugged and the vulnerable protected.
Jonathan M. Winer is Senior Vice President at APCO Worldwide and former U.S. deputy assistant secretary of state for international law.
a global affairs media network
Making Sure You’re Not Toast After a Data Breach Jam
June 21, 2011
In the years that I have been helping companies deal with data breaches, some things have changed. Mainly, this has been the size and volume of the breaches, the severity of the impact, and the extent of the damage to consumer trust, together with the pioneering of class action lawsuits against name-brand companies like Honda, Sony, Ameritrade, and Aetna in connection with alleged data breaches.
In recent days, we’ve seen hits on big financial institutions such as Citibank, payroll service companies such as ADP, the International Monetary Fund, the CIA, defense contractor Lockheed Martin, and of course, Sony Playstation, where an alleged breach compromised the personal data maintained on some 100 million customer accounts, reportedly costing the company in excess of $170 million. If anything, the pace of attacks is accelerating. Yet preparedness in most companies whose systems hook into the Internet (and isn’t that essentially everybody?) continues to lag.
Some of this is understandable. Few companies actually know exactly what data they have, where it is “from,” where it is “going,” who is responsible for it, and what its authorized uses are. These may seem like obvious requirements, but in practice, undertaking a data audit can be an extensive, expensive exercise, especially for companies whose customers or staff operated in more than one country. It’s worth doing such an audit, but they can take time. While an audit is in mid-stream, there are still things a company can do to prepare for the possibility that one of its systems somewhere will be breached, and that it may not immediately know just how bad the breach is.
The most basic tool is having a crisis management plan in place that covers the risk of breach. In practice, a data breach generally requires the simultaneous skill and cooperation of security, legal, audit, and communications professionals, working as an integrated team and able to report and make recommendations promptly to the CEO and board of directors. Having protocols developed ahead of a breach will help. And these need to include scenario planning, and ideally, simulations, so that those involved have been through the drill to see what works and what does not ahead of an actual crisis.
While it may be obvious that a company that has had a breach needs to have a spokesperson designated to answer questions from the media, communications also need to take place in a sequenced fashion with relevant government officials, customers, business partners, service providers such as payments processors and financial institutions, and one’s own employees – potentially in many countries. Questions and answers and fact sheets regarding the breach will be needed (often with little time to prepare them), along with the elements of a mitigation plan to protect those who are at risk as a result of a compromise. Doing this on the fly is at best a suboptimal path to protecting a company’s reputation with the people who are most important to its future.
A lot of this can be pre-positioned by a company’s communications professionals and general counsel’s office working together ahead of a breach, and then tailored to address the actual facts of a breach should it take place. But every breach has its own idiosyncratic elements, and no set of scenarios is likely to anticipate every element of the actual crisis.
In reality, when a crisis hits, you can’t assume you will have all of the information you need, that the information you think you have is accurate, that you will be able to get that information to your key people at the same time, or even in time, and that the external environment will be friendly, sympathetic, predictable or fair. Some of what can go wrong will go wrong. There’s probably at least a 50-percent chance of the toast landing butter-side down when it hits the floor.
Given this reality, a company should have someone “in charge” of data breaches ahead of time to act as the fulcrum for managing the crisis if it happens. Usually, this will be the general counsel or their designee. But as lawyers take over, it’s vital to accompany the legal decisions with a communications plan for both internal and external messaging. What is said, and when, will inevitably have a substantial impact on how the breach is perceived by everyone affected – from regulators and attorneys general to employees, customers and plaintiffs’ lawyers. So a communications professional should be integrated into the team from the outset, with what will be said to whom treated as an issue that is as fundamental as getting the breach plugged and the vulnerable protected.
Jonathan M. Winer is Senior Vice President at APCO Worldwide and former U.S. deputy assistant secretary of state for international law.
