Most businesses who have suffered a data breach will tell you it was one of the most challenging times of their professional careers. Data breaches are human events, both for the impacted customers and the incident response team in charge of executing the response. As such, human emotions come to the surface and can inhibit […]
Vital Components to Equip Your Organization for Breach Readiness 2- Effective Communication Tactics
By: Marissa Rodriguez
Your communications set the tone with internal and external stakeholders after a data breach occurs, so you need to get them right. Unfortunately, many breach response plans treat breach notification to customers as an afterthought. While there are currently no federal laws governing data breaches and the notifications following it with specific consequences, mishandling communications following a data breach can have significant and long-term consequences.
Crucial Lessons Learned
Several years ago Yahoo experienced two different data breaches totaling almost a billion records exposed. Although no financial data was uncovered, the amount of personal data exposed was unprecedented. A merger agreement with Verizon uncovered these breaches, and highlighted the fact that customers weren’t notified yet. Due, in part to perceived mismanagement of notification and a general lack of communication about these incidents, the originally sale was reduced to $350 million1.
Fast forward, and Yahoo has since received 23 consumer class-action lawsuits for public misrepresentations and failure to disclose material facts. This incident highlights how poor communication following a data breach can lead to severe brand and material damage to even a trusted company.
Currently there is no federal law that holds companies accountable for notifying customers after a data breach has occurred, but state laws do. Oftentimes, this translates to a required notification via direct mail. Even though this might not be the most cutting-edge method, it satisfies legal requirements and ensures that notification doesn’t get compromised by phishers (people who disguise themselves as a trustworthy entity in an email to get sensitive information). Traditional emails and text messages can be problematic because they invite phishers to prey upon customers.
It’s All About Logistics
Typically, what isn’t considered in incident response plans are the logistics behind physically putting together the communication for direct mail. Companies must think through several factors:
- IT department must arrange customer information that can be safely compiled in a specific format for mailing (addresses for recipients of the notifications will be required if this isn’t already available)
- Gathering international data (if applicable) often presents a unique challenge for businesses.
- A reliable large scale mailing partner (one of the most costly aspects of this process) able to produce the letters on high quality paper must be identified and tested prior to a mailing.
- Legal counsel must craft appropriate content for the letters. Each state has their own subject matter requirements, which necessitates typically 2-4 versions for each incident.
Finding the Needle in the Haystack
To add another layer of complexity to this process, your company must consider outside stakeholders who impact decision making and notification processes in different industries. This could be industry specific requirements set by outside agencies (HIPPA and HHS in healthcare, for example). These agencies set deadlines to notify constituents, require ID Protection inserts, etc., and add another dynamic and set of requirements to manage during a response.
These are all decisions and processes that can and should be planned and documented ahead of time as part of a complete incident response plan that will actually guide you through the full customer notification and response.
Jessica Smith, Director of Incident Response at AllClear ID, has worked with hundreds of companies who have experienced data breaches large and small. Over the last 4 years, she has witnessed the many challenges businesses face during a breach response when they do not have a documented notification plan. They include:
- Difficulty managing the numerous moving pieces involved in a successful notification event
- Uncertainty around the chain of command for making decisions
- Complexities of trying to manage traditional business bureaucracy in the midst of a crisis.
The good news is that all of these considerations, decisions, and processes can be thought through and documented ahead of a data breach event. When companies have a robust notification plan documented in their larger incident response plan, they are often able to make better decisions and notify more quickly when a breach does occur. Stay tuned for our next post in the series to learn about identity theft protections.