A data scandal roll call would include big names in nearly every industry. Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile and the University of California, Berkeley, to name a few, have recently experienced data security breaches. And some experts say that there are hundreds if not thousands of other, less-publicized cases in which sensitive personal data has been compromised.
"There’s the hospital that unwittingly exposes a couple of AIDS patients, or the bank that inadvertently discloses to a creditor someone’s complete financial background," says Diana McKenzie, who chairs the IT group at Neal, Gerber & Eisenberg LLP, a Chicago law firm. "There are tons and tons of examples like that."
For CIOs, this trend means two things: It may not be a case of whether your company will experience a data security breach but when it will experience such a breach. And, particularly if you’re one of the unlucky 10 percent or less who find their stories blasted throughout the national news media, you’d better know beforehand how you’re going to respond when a breach occurs.
A New Reality
"In days gone by, you could have thrown up your hands and said, ’Geez, this was an accident,’ " says Scott Sobel, vice president at Levick Strategic Communications in Washington. "But now people are more familiar with IT processes, and they may believe that if controls weren’t in place, someone was negligent or malicious."
That’s why your immediate response to a security breach is all-important. And it’s not enough to lean on processes you’ve put in place to respond to more traditional threats such as viruses and hacker infiltration. Today, threats can emanate from sources as varied as fraudulent businesses or tape thieves.
"The failures in the business processes that have occurred this year are causing organizations to redesign the way they respond to future incidents or anomalies," says Rich Baich, managing director at PricewaterhouseCoopers and former chief information security officer at ChoicePoint Inc. in Alpharetta, Ga. Earlier this year, it was revealed that ChoicePoint had released consumers’ personal financial information to data thieves posing as legitimate businesses.
One important change worth considering, Baich says, is to create and publicize a central mechanism for employees or the general public to report possible breaches, including incidents involving low-tech actions such as fraud or tape theft. There should be a response team that follows an established set of protocols, not unlike those of customer service hot lines, where a trained group follows a decision tree and escalates its response depending on the nature of the problem.
The exact response protocol will be unique to each organization. Some may want to report directly to the general counsel, others to the CISO, and others to the president of the company. However you choose to do it, the escalation procedure should be defined and agreed upon in advance.
"It needs to be something that says, ’During Christmas time, from this hour to this day, John Brown is head of the team, and he’ll have access to this attorney and this PR person and this decision-maker and this representative of the union, instantly,’ " Sobel says.
Having a central point of contact would also help avoid the common problem of not taking incident reports seriously, McKenzie says. "If a busy executive gets a call from a person outside the company who doesn’t sound sophisticated, or from someone lower in the organization who thinks something odd is happening, there’s a tendency to dismiss it," she says. "I can’t tell you the number of times I’ve had a person forget to get the phone number or even the name of the person who called."
The word team can’t be overemphasized, McKenzie says. The days are gone when IT worked in isolation on security incidents. The public relations and legal departments need to be involved as soon as possible, even as you’re still figuring out the depth and breadth of the problem. "While you’re starting to fix, document and understand the problem, you want to start the lawyers mitigating risk and the PR folks preparing communications," McKenzie says.
"The IT guy keeping it to himself is a really bad idea," she adds. Not only are there disclosure requirements, but your public relations people will also need some lead time to fully understand the problem and prepare a response.
At Vanguard Managed Solutions LLC, IT works hand in hand with the legal and marketing departments during times of crisis. In the 300-employee managed services provider in Mansfield, Mass., security incidents are escalated to management-level employees in the network operations center, says Eric Welz, senior solutions architect. If the incident is determined to be severe enough, marketing, legal and IT work together to determine how it should be communicated to clients.
Now more than ever, lawyers are crucial for correctly interpreting and responding to federal and state privacy laws. For example, California’s Senate Bill 1386 requires organizations to disclose security breaches that involve private information about California residents. California Assembly Bill 1950 requires "reasonable security" controls for California residents’ data. The Washington state government also recently enacted several bills addressing security breaches, and other states may soon follow.
Your legal department might decide to involve local law enforcement, which could affect whether your company is allowed to disclose any information about the breach. If the police ask you to keep mum because they’ve determined that public disclosure would inhibit the investigation, be sure to get a letter documenting that request to avoid conflicts later, Baich says.
Some experts suggest that companies develop boilerplate language to enable a faster response. "Disclosures are sometimes required to happen quickly, and that’s not the time to start with a blank piece of paper," says Peter Gregory, chief security strategist at VantagePoint Security LLC in Bellevue, Wash.
But don’t rush. "You don’t want to wait two days, but you can wait 20 minutes," says Gregory. "You need to follow the emergency procedures so that when the PR person is in front of the microphone, the information has flowed properly from the point of discovery, through IT management and sideways to PR and legal."
Or, as McKenzie puts it, "respond with cautious speed. On the one hand, a delay in responding can be fatal, but on the other, you need to have a reasoned response, because this could be broadcast all over the country."
To avoid accusations that you didn’t work quickly enough to solve a problem, McKenzie suggests calling in an IT forensics consultant -- even if you think your IT staff is talented enough to analyze Web logs and other records effectively. "It shows you’re taking it seriously: ’We hired this gunslinger to help solve the problem expeditiously,’ " she says. "If someone sues you for damages, it looks good from a PR standpoint that you hired someone immediately."
You should keep a fact-finding log to record any actions that the security team takes and any people it contacts, and that log should include the precise timing of every action. "When that’s all logged, it’s easier when someone asks what happened," Baich says.
Finally, when it comes time to communicate with customers or the general public, "be understanding and reassuring," says McKenzie. "There’s a tendency for people harmed by these incidents to sense a lack of empathy for their situation." A kind and caring attitude on your part may lessen the chance of lawsuits and other litigious behavior, she says.
"A security disaster will cause many to doubt the company’s ability to continue operating," Gregory says, "so you need to respond with well-thought-out statements that give the media and customers confidence that you’re in control and are dealing with it."
Mary Brandel is a Computerworld contributing writer in Newton, Mass. Contact her at firstname.lastname@example.org.