At the Data Breach Notification Bootcamp Wednesday morning at the IAPP Global Privacy Summit, Liisa Thomas led a packed room through a privacy pro's hypothetical nightmare: Your organization has detected a potential breach incident. What do you do next?
In the hypothetical situation, attendees were asked to discuss how they’d react if their company was the subject of a rumored breach incident. Speculation of a breach was swirling around on Facebook. So what to do? Do you ask Facebook to take the speculative posts down? What if that attracts more attention than leaving the posts up would?
First, Thomas said, it’s essential to find out who in the company might know the facts and to establish an external communications plan. And those aren’t steps you take the day a potential breach is discovered. Those plans should be established ahead of time.
The next revelation in the hypothetical: There’s definitely been a breach. The IT department has unveiled that email addresses and usernames were taken from a third-party vendor the company uses and the data was stored in the cloud—meaning more than one company was involved in the beach.
The next questions that need to be addressed, Thomas said, surround who will work with the vendor; who makes up the internal team working on the investigation, and whether external resources will be brought in.
A breach involving a third-party vendor gets even more complicated because then the question is introduced: Whose obligation should it be to notify? Does the vendor speak into the microphone and alert your customers?
“I would not want the vendor notifying,” Thomas said. “In this particular situation, we would not want the vendor to be notifying our people directly unless we made the decision.”
After all, initially, it’s generally not yet clear what information has been breached and whether there’s even a duty to notify. “I would want to be approving what (the messaging) looked like,” Thomas said. That being said, if the vendor is at fault for the breach, the company affected should be reimbursed for the subsequent notification costs incurred, she added.
Molly Morse, managing director at PR firm Kekst and Company and co-moderating the session, said, from a PR standpoint, it’s absolutely essential to know what the vendor at fault is planning to do.
“Ultimately, the goal needs to be protecting the reputation of your organization,” Morse said. It’s also essential that any PR group enlisted—whether internal or external—understands the legal risks involved in the case, and early.
“If you’re going to end up in litigation with that vendor, you don’t want your PR people to either hurt or accelerate that case,” she said. “It’s a dance you need to do.”
As the hypothetical breach went on, it only got worse. A couple of hours in, it was revealed the breach situation had escalated: Fifty million usernames and passwords had been hacked via the hypothetical company’s website.
Now the question becomes: Do you shut down the infiltrated system, or will that make the source of the breach harder to find? That’s a question for your forensics team, Thomas said.
To the IT professionals in the room, likely a part of that forensics team, Thomas asked: Who would shut the system down right away? Not a soul raised their hands, though one person spoke up, “Not unless there was a request from law enforcement.”
Another significant consideration is the cloud: If there’s been a breach and the data is stored in the cloud, it’s possible it’s mixed with other peoples’ data. Even if your company decides there’s not a need to notify, there’s a chance the other affected companies are notifying, and that could make you look bad for not doing so.
Be ready, Thomas said, to answer the following uncomfortable questions, because they’re the ones that always come:
When did it happen?
What info was compromised?
Was my info compromised?
How many peoples’ info was impacted?
Was the info encrypted?
Was my SSN compromised?
Did anyone misuse the info?
What should I do?
What are you doing to protect me?
Why aren’t you taking other measures to protect me?
Those are probably just the tip of the iceberg, but if that list is daunting, you likely need to hit up a bootcamp of your own in the near future.
If you want to comment on this post, you need to login.