DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

How to Respond to a Data Breach – and Then Some

Posted on February 8, 2011 by Dissent

George Hulme recently wrote about an anticipated WikiLeaks exposure of Bank of America files and used Bank of America’s attempts to prepare for the disclosures as an opportunity to discuss how to respond to a breach. George writes, in part:

The idea isn’t to bury the news, or prepare executives how to lie, but to proactively deal with any potential reverberations from such a bunker-busting breach as quickly and efficiently as possible.

“When you’ve been hacked, and you know it’s coming, the worst thing to do would be to ignore it,” says Matt Kucharski, senior vice president at the Minneapolis-based public relations firm Padilla Speer Beardsley.

[…]

Kucharski says once an incident is underway, best practice response calls for four strategic prongs: assess, make a plan of action and the execution of that plan, communication, and an evaluation of how the plan went, or is going.

Read more on ThreatPost.

I don’t completely agree with George’s statement that most of the lasting impression isn’t going to be how the breach occurred. I think that when a breach involves a laptop with unencrypted sensitive information being stolen from an employee’s car,  the entity’s customers or employees will be left with a negative impression no matter how great the follow-up and communication might be.   Perhaps the only thing a company can do in that scenario to win back its users’ fuller confidence is to fire the employee and make it clear that any employee who violates security policies does get fired.

I would add the following  recommendations on communication following a breach:

  • Be upfront about the number of people affected.
  • Be upfront about how the breach occurred.
  • Be upfront about when – and how – you discovered the breach.
  • Offer the customers free services if the data involved are such that their risk of ID theft or fraud is now increased – however small you think or desperately wish to believe the risk is.
  • Those affected do not need false platitudes and reassurance. They need information and solid advice not to take any chances.  There is no place for stupid statements like, “We have no evidence to believe that your data have been misused.”   Data can first be misused months or even years later.  A company’s attempt to downplay the seriousness of a breach in a misguided attempt to protect their reputation  may lead to people not taking steps to protect themselves from the increased risk they now face.
  • Set up a dedicated phone line with trained professionals to assist people who want to call for more information or help. Have the phone line open on evenings and weekends for the first month after the notification.
  • Post a notice on your web site with a prominent link from the home page.
  • Don’t be afraid to talk to reporters or bloggers. While we are out to get the story and details, don’t assume that whatever we write will hurt your reputation. If you’re handling things well, you might even wind up with positive press.

Related Posts:

  • Some of WikiLeaks' Bank of America data destroyed
  • LA: IberiaBank accuses former executives of stealing…
  • George Mason University notifies 4,400 of malware intrusion
  • Bank of America website exposes customer accounts, data
  • AU: Merchant under fire in bank data breach affair…

Post navigation

← UK: Councils fined for unencrypted laptop theft
Identity Fraud Fell 28 Percent in 2010 According to New Javelin Strategy & Research Report →

2 thoughts on “How to Respond to a Data Breach – and Then Some”

  1. marianc says:
    February 8, 2011 at 12:47 pm

    So your solution is to find a scapegoat to hang and that is supposed to restore public confidence?

    It’s far more important to assess the policies and procedures that allowed such an incident to happen. Who is responsible for making sure that mobile devices are encrypted? The end user? No. The CIO’s office, where there should be an adequately traned and qualified CISO in charge. Who is responsible for training end users on proper security procedure? Who is responsible for setting the policy governing the proper handling and storage of mobile devices?

    If an organization has the right policies in place and enforces them, the proverbial stolen unencrypted laptop should never be able to happen. Blaming the hapless employee who had the misfortune to misplace the device is no solution. All it does is deflect the blame from where it belongs: on management.

    1. admin says:
      February 8, 2011 at 1:36 pm

      I was referring to those situations in which management has the right policies in place but the employee violated the policy. Yes, you can argue that management should be ensuring that policies are followed and I agree with that, but really, at some point, if the employee knows he’s not supposed to leave his laptop in his car and leaves it there anyway, he should be fired. And in those situations, that’s what I think the company needs to do and to tell those affected. And if it turns out that the problem was with management, well, then, maybe management needs to be fired.

      If the right policies and procedures weren’t in place, then that’s a different story and the focus is on revising policies and procedures to prevent recurrence.

Comments are closed.

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Update: Cardiovascular Consultants Ltd. ransomware attack reportedly affected 500,000 patients, guarantors, and staff
  • Data breach by Addenbrooke’s Hospital reveals patient information
  • Millions of patient scans and health records spilling online thanks to decades-old protocol bug
  • Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (GAO Report)
  • Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers
  • CBIZ KA Notice of Data Privacy Incident (Prime Healthcare)
  • Seeking clarification on Maine’s data breach notification statute
  • East River Medical Imaging notifies 605,809 patients of breach

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net