Sensitive information leaks in businesses are hard to avoid, as even major names like Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile, and the University of California, Berkeley have recently experienced data breaches.
In reality, there are hundreds, if not thousands, of companies with sensitive personal data that have been compromised without public knowledge.
Diana McKenzie, President of the IT Department at Neal, Gerber & Eisenberg, a law firm in Chicago, stated: “There are hospitals that accidentally disclose information about a few AIDS patients, or banks that inadvertently reveal the complete financial details of a depositor. There are countless examples like this“.
For Chief Information Officers (CIOs), it is essential to understand two things: It is no longer a matter of whether your company will experience a data leak, but rather when it will happen. Therefore, you need to know how to handle the situation before your company unexpectedly becomes part of the 10% involved in scandals that flood the media across the country.
A New Reality
Scott Sobel, Vice President of Levick Strategic Communications, suggests that previously, companies could blame data breaches on unfortunate accidents, but now people are likely to believe that such incidents are due to negligence or intentional sabotage.
Thus, you need immediate solutions to these incidents. However, relying solely on traditional methods of handling threats like viruses or hacker intrusions is insufficient, as today’s risks can originate from a wide variety of sources.
Rich Baich, CEO of PricewaterhouseCoopers and former information security expert at ChoicePoint, noted, “The failures of companies in incident handling over the past year have forced them to redesign their responses to similar situations in the future.” Earlier this year, it was discovered that ChoicePoint had leaked information masquerading as legitimate businesses.
According to Baich, companies need to create a centralized and accessible mechanism for employees or the public to report potential data breach risks, including actions that do not require high technical skills. Similar to a customer hotline, every company should have a well-trained rapid response team that follows a decision tree to make appropriate decisions based on the nature of the issue.
Depending on the specifics of each organization, a specific incident handling protocol should be established. You can choose to report incidents directly to the general counsel, the Chief Security Officer (CSO), or the company president. Regardless of the choice, the reporting process must be clearly defined and agreed upon in advance.
“Consolidating incident handling into a single point will help avoid the common tendency to downplay reports of incidents,” McKenzie remarked. “I can’t remember how many times I’ve seen employees forget to ask for a phone number or even the name of the caller.”
Team Spirit/Collaboration
The era when the IT department alone handled information security incidents is long gone. Nowadays, the public relations (PR) and legal teams need to get involved as quickly as possible, even while assessing the severity of the issue. McKenzie stated, “As you begin to repair, document, and understand the problem, lawyers must immediately start mitigating risks, and the PR team must prepare for external communications.”
For example, at Vanguard Managed Solutions, when a serious security incident occurs, the marketing, legal, and IT departments must collaborate to determine how to inform customers about the incident.
Information disclosure must also comply with legal requirements. Baich advises, “If the police ask you to keep quiet for fear that public disclosure will hinder the investigation, you should obtain that request in writing to avoid future complications.”
Some experts believe that companies need to establish unified response measures for faster reactions. “Public information disclosure needs to happen quickly, and it wouldn’t be ideal to start with a blank sheet of paper,” said Peter Gregory, security strategist at VantagePoint Security LLC.
Calculated Speed
But don’t rush. “You may not want to wait two days, but you can wait 20 minutes,” Gregory advises. “You need to follow emergency procedures so that before the PR person steps up to the microphone, the information flow has followed the right channels from the leak detection to the IT department and then to PR and legal.”
McKenzie also notes that we should respond with careful speed. While slow responses can be detrimental, it’s also important to act judiciously, as the whole country may become aware of the incident.
To avoid accusations of insufficiently swift action, McKenzie suggests hiring an IT investigation consultant—even if you believe your IT team is capable of effectively analyzing web logs and other data. This demonstrates that you are taking the issue seriously. If someone decides to sue you for damages, the PR team can present a strong argument that you acted promptly by hiring an expert. “We hired this expert to help resolve the issue quickly.”
You should keep a log of any actions taken by the security team and anyone they interacted with. “When everything is logged, it will be easier if someone asks what happened,” Baich stated.
Finally, when the time comes to inform customers or the public about the incident, be empathetic and reassure everyone. Those affected by these incidents often feel a lack of empathy in their situation. If you do not show a kind, caring attitude, the likelihood of litigation increases significantly.
A security incident will raise doubts about the company’s ability to continue performing effectively. Therefore, you must think carefully before making statements aimed at assuring the media and customers that you are in control of the situation and addressing the issue.
