Hello again readers!! Today's post is the first (but most certainly not the last) "guest post" in which friends and colleagues can share their experiences and insights and give alternate perspectives on digital forensics, incident response, and information security.
Today's post is authored by my friend "Jack" who has much more experience (and an MBA) on the "business" side of forensics and incident response than I ever will (and let's be honest, I also will never have an MBA). "Jack" may or may not also be in the Witness Protection Program, but the OPM data breach might change that.....
(PS: Apparently cat memes are the number one attraction to blog posts, according to 87 out of 100 business professionals. The other 13 were no doubt scouring the internet for other pictures of cats.)
How to Have that Awkward Conversation
NO, not the “It’s not you; it’s me!” one. The one where you tell your employees (or clients!) that you’ve been hacked, their information is who-knows-where, and oh by the way, you’ve got no idea how the bad guys even got in. You know. THAT one.
I’m not going to sugarcoat this. It’s going to be painful. It’s going to be embarrassing. But just like adults always tell kids, it is better to hear it directly from you. If the news media or banking institutions are notifying victims instead… oh boy; it’s a public relations nightmare.
First rule of Data Breach Club: Talk first and say it loud. No one likes being indoctrinated into Data Breach Club, but I’ll let you in on a little secret: It’s not an exclusive membership. You’re either in the club, or you don’t know you’re already in the club.
If you are upfront and honest, chances are better that you might maintain the relationships your organization has with its employees, partners, and clients. Further, you may not have a choice about public disclosure, or private disclosure, depending on contracts you have with clients. Depending on the laws where you operate, you may be obligated to provide full disclosure within a certain time period. Most state breach notification laws don’t specify what your notification should include; however there are some minimum guidelines which we attempt to cover in our samples below.
In the State of Maryland for example, the Attorney General’s website says the following about data breach notifications:
Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e. for identity theft. If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers.
In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following the investigation. A business may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected individuals or restore the integrity of the system. Notice to affected consumer must be given in writing and sent to the most recent address of the individual, or by telephone to the most recent phone number. Notice may be sent via e-mail if an individual has already consented to receive electronic notice or the business primarily conducts its business via the Internet. The law also contains a provision for substitute notice, allowing a business to provide notice of a security breach by e-mail, posting on its website and notice to statewide media if the cost of notice would exceed $100,000 or the number of consumers to be notified exceeds 175,000 individuals. (https://www.oag.state.md.us/idtheft/businessGL.htm)
Searching online for “data breach disclosure laws AND [your location]” should net you some relevant results. When in doubt, call a lawyer that specializes in data breaches. If the Google can’t find one, your local Bar Association should be able to assist you.
So how do you begin that notification email? Your letter should contain some version of the following:
[ ] denote areas where you should fill in the blank
Part I—Introduce the Problem and Accept Responsibility: You need to be upfront and honest; if you have a lawyer advising differently, find a new lawyer (Preferably one you suspect has a secret identity and fights crime at night using heightened senses resultant from a hazardous chemical spill; but I suppose if you can’t find one, any ethical data breach lawyer will do.) If you don’t know something, say so. Trying to hide the fact that you don’t know something just makes you look like you are hiding something, which is usually assumed to be more sinister. Also, please don’t place blame on nation-states for a mess of your own creation; you’ll end up looking ridiculous and becoming the Poster Child of “What NOT to do”.
“We are contacting you because on [insert discovery date] we discovered a serious cyber-security incident that occurred between [Start Date] and [End Date] that involved a breach of your [personal information, such as medical records, credit card numbers, passwords, etc…]. At this time we do not believe that [other personal information] was accessed. We know you have trusted us with your information and we take that trust seriously. We take full responsibility for this incident and we will work tirelessly to resolve it quickly and completely.”
And if you delayed in sending notifications to victims, say why:
“In accordance with applicable laws, we delayed notification of affected parties by 30 days, due to an official request by law enforcement.”
Part II—Here’s What Is Happening Now: This is where you tell them what you are doing do fix this problem. (Not diverting attention, not doing just enough to get regulators off your back, not putting on a show to restore stock prices, not doing the minimum for regulatory compliance or limiting your liability. Actually fixing the problem. Let me say it again for dramatic effect: Actually.Fixing.The.Problem.)
You’ll want to (or be required to) at least cover what you did to stop the attackers, what you are doing to clean-up the breach, and what changes you will make in the future. Your notification should say some version of the following, pick and choose based on your circumstances:
“Upon discovery we immediately blocked the offending IPs and shut down all out-bound traffic. We have begun the process of finding compromised machines.”
“We brought in cyber-security experts to investigate and fix this problem entirely and to ensure that we are more secure in the future.”
“We advised the credit reporting bureaus and banks of this incident. We are offering a free credit report to every affected party, and here’s how to do that. [Instructions here.]”
“We are cooperating fully with law enforcement and an investigation is on-going. There will be full participation and transparency during the investigation. Employees will be contacted in person if their assistance is required. Do not provide any personal information, account numbers or passwords to any unverified person via email or on the phone, now or ever.”
“We are currently dedicating money to invest in our IT infrastructure, our security personnel, and monitoring tools so that attacks in the future are thwarted.”
Part III—Here’s What the User Has to Do: This is where you tell your employees, clients, customers, and/or Partners what they need to do. You must be exceedingly firm about password changes and policy enforcement while at the same time making this VERY easy for them. It’s a huge component of rebuilding trust and being transparent throughout the process. You’ll want to take note of the inclusion of an attachment, which should detail cyber-security best practices that they can use at work or at home.
“You will be required to choose a new password before you can log into your account. Everyone must do this, from the newest employee to the CEO of the company—even every member of the IT team to include admin accounts. It may NOT be the same password as last time. Your password will be required to have upper and lower case letters, a number, and a symbol. You cannot use dictionary words. It must also be at least 8 characters in length. We apologize for the inconvenience, but this is a very important part of information security. It removes the attacker’s access to our network. Thoroughness of this step is paramount.”
“You may wish to place a fraud alert or freeze on your credit report, which you can do by contacting the three major credit reporting bureaus, Equifax, Experian, and TransUnion [insert contact info here]. Be aware that you will not be able to borrow money or open a new credit card until you lift the freeze.”
“If your bank has not contacted you about replacing your cards, you may wish to proactively call them and ask for a replacement card.”
“We recommend following industry standards and best practices when it comes to cyber security. The attached document details steps you can take to better protect yourself from online threats, both professionally and personally. There is even a section included that focuses on online safety for kids and teens.”
Part IV—We are Here to Help You: This is where you point people to your public relations team, who in turn can run point between the employees/clients/partners and the legal team, technical team, management team, etc…
What? You don’t have a public relations team/person? Didn’t anyone tell you that this is a key part of a data breach incident? This is one of those indirect costs of data breaches that no one ever considers during the risk management process. Yes, it will cost money; you didn’t think data breaches were cheap did you? Please note the inclusion of a toll-free number and the promise of regular updates. We define “regular” as at least every two weeks.
“If you have any questions or concerns, you may contact our offices at: [1-800-555-5555] or email us at [firstname.lastname@example.org]. Our website: [www.ourcompany.com] will be updated with the latest information as our investigation continues.”
“Again, we apologize for this incident and any inconvenience this causes. We value your trust and we are committing all resources to resolving this incident quickly and completely, so we can get back to [insert mission statement or “what you do” here].
[Highest ranking person in your company]
No, I’m not kidding. Your lawyer should not sign this for you. Nor should your 3rd party data breach management company. Not your PR firm, not the head of IT, and definitely not something cutesy like your mascot (even if your mascot is one of the cats in this blog post). And for crying out loud, I don’t care how big and high profile you are, don’t have the President of the United States address the nation for you either.
Before you send out this letter, run it by your public relations team/person, your general counsel/lawyer, your data breach response team, and your CEO, who as we discussed above will be signing the letter.