How to Respond to a Data Breach

You’ve been robbed. Maybe you don’t know to what extent. Perhaps the crook simply took the opportunity to snag a notebook sitting in the back of a car and doesn’t care about the data. Perchance it was a planned burglary and now a competitor or political activist group has gigabytes of potentially embarrassing emails from one of your top executives. Maybe attackers grabbed sensitive medical files, and are now extorting you: pay-up or the files are released publicly.

George HulmeYou’ve been robbed. Maybe you don’t know to what extent. Perhaps the crook simply took the opportunity to snag a notebook sitting in the back of a car and doesn’t care about the data. Perchance it was a planned burglary and now a competitor or political activist group has gigabytes of potentially embarrassing emails from one of your top executives. Maybe attackers grabbed sensitive medical files, and are now extorting you: pay-up or the files are released publicly.

Sounds like a potential movie plot, but the fact is that such incidents–in addition to standard hack and data grab breaches–occur every day. Maybe such an incident won’t happen to your organization, maybe it will. Like trying to bet which years it is safe to go without personal health insurance, betting that your organization won’t be targeted is a nearly impossible and potentially dangerous call to try to make.

“Today it is not a matter of if – but when – a crisis happens. And then it comes down to the extent of the crisis and your level of preparedness,” says Kevin Kosh, partner at Waltham, Mass.-based Chen PR. “It’s like data backup: You cant wait until your server goes AWOL to decide how to react. If you are not prepared when it happens, it’s too late.”

Currently,  Bank of America is preparing for a potential crisis, due to the widespread belief that anti-secrecy organization WikiLeaks is in possession of a trove of files from a prominent banking executive. Based on past comments by WikiLeaks founder Julian Assange, it is widely thought that bank Bank of America is the targeted bank. Bank of America is concerned enough that they’ve, according to PBS, hired brand protection consultancy MarkMonitor which has, in recent weeks, bought more than 400 Bank Of America related domain names, in what could be an attempt to help stem any potential public backlash after sensitive, perhaps inflammatory, files are released.

How does an organization brace for the potential blowback from a breach such as this – or any other major security event? “Right now they [Bank of America] are doing what they need to do. They are doing everything they can to know what data could be had out there. They are trying to connect the dots so that if the crisis breaks they can answer everything they can right out of the gate,” says Kosh.

The idea isn’t to bury the news, or prepare executives how to lie, but to proactively deal with any potential reverberations from such a bunker-busting breach as quickly and efficiently as possible.

“When you’ve been hacked, and you know it’s coming, the worst thing to do would be to ignore it,” says Matt Kucharski, senior vice president at the Minneapolis-based public relations firm Padilla Speer Beardsley. “The potential for a crisis is itself a crisis. You have to assess the situation and develop your ‘break glass if this happens’ plan – and then monitor, monitor, monitor for related events,” he says.

Having the communications and action plan in place is the key. Most of the lasting impression after a security breach – or any IT crisis – aren’t going to be how the breach occurred, what technologies broke down, or even what data was stolen. It’s much more likely to be how well, or how poorly, a company responded.  

Kucharski says once an incident is underway, best practice response calls for four strategic prongs: assess, make a plan of action and the execution of that plan, communication, and an evaluation of how the plan went, or is going.

“Once the incident begins gather all of the facts you can. Find out what happened. Find out why and how it happened. Measure its potential impact. Find out what constituents were hurt: employees, customers, partners, competition. Then gather who needs to be involved in decision-making and response,” he says.

For a sizable breach, that generally means senior IT leadership, legal, communications, and potentially other divisions. While it’s tough to think of a breach or IT crises as a story narrative when in the thick of it, that’s exactly what it is: an unfolding story.

“The difference between a positive story and a negative story is in focus on the conflict or the resolution. In a negative story, you explain what happened and why and then focus on how you are going to resolve it,” Kucharski says.  

That means the bulk of the communication will be to highlight the actions put in place to help those affected, mitigate the damages, and what measures have been put in place to ensure it doesn’t happen again. Most important: all of this needs to be decided before public outreach. And that means the only way to give an organization a reasonable chance at successfully pulling the communications response together during a crisis is to have a plan in place, and follow it. That takes leadership.

“Senior management needs to demand that a protocol is in place for such events,” says Kucharski. Putting that plan in place requires – much like a disaster recovery plan – the appropriate stakeholders to know their roles ahead of time.

That could include senior management, legal, human resources, communications teams, and IT. And, just like when testing disaster recovery plans, running through potential scenarios can help a business get through the real thing.

“Every few months a team should brainstorm things that could go wrong, and focus on events that have a high likelihood of occurring and would also have a high negative impact to the business,” Kucharski advises.

Without such planning, says Kosh, there’s little hope of responding right when needed. “It’s about rapid, intelligent, response,” he says. “Currently the disclosure process seems to favor confusion when one considers law enforcement constraints, the demands of 24×7 reporting, and data breach disclosure laws that vary from state to state. You don’t need to add to the confusion,” he adds.

None of this is to say that communications is a substitute for corrective action. Quite the contrary: communications should help support whatever corrective action is underway.

“BP, contrary to popular opinion, was doing a good job of communicating what was going on at the beginning of that crisis,” says Kucharski. “The problem was they couldn’t stop the oil coming out of the bottom of the ocean. You can only say sorry so many times before people start demanding that you fix the damn problem,” he says.

Suggested articles

Discussion

  • Mark D. Adams on

    It's also important not to play the blame game. It's not necessarily time to let your infosec manager go, just to show that the "responsible" party was punished. You're only going to make things as secure as your risk assessment and budget demand, and there is no such thing as completely secure.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.