George Hulme recently wrote about an anticipated WikiLeaks exposure of Bank of America files and used Bank of America’s attempts to prepare for the disclosures as an opportunity to discuss how to respond to a breach. George writes, in part:
The idea isn’t to bury the news, or prepare executives how to lie, but to proactively deal with any potential reverberations from such a bunker-busting breach as quickly and efficiently as possible.
“When you’ve been hacked, and you know it’s coming, the worst thing to do would be to ignore it,” says Matt Kucharski, senior vice president at the Minneapolis-based public relations firm Padilla Speer Beardsley.
Kucharski says once an incident is underway, best practice response calls for four strategic prongs: assess, make a plan of action and the execution of that plan, communication, and an evaluation of how the plan went, or is going.
Read more on ThreatPost.
I don’t completely agree with George’s statement that most of the lasting impression isn’t going to be how the breach occurred. I think that when a breach involves a laptop with unencrypted sensitive information being stolen from an employee’s car, the entity’s customers or employees will be left with a negative impression no matter how great the follow-up and communication might be. Perhaps the only thing a company can do in that scenario to win back its users’ fuller confidence is to fire the employee and make it clear that any employee who violates security policies does get fired.
I would add the following recommendations on communication following a breach:
- Be upfront about the number of people affected.
- Be upfront about how the breach occurred.
- Be upfront about when – and how – you discovered the breach.
- Offer the customers free services if the data involved are such that their risk of ID theft or fraud is now increased – however small you think or desperately wish to believe the risk is.
- Those affected do not need false platitudes and reassurance. They need information and solid advice not to take any chances. There is no place for stupid statements like, “We have no evidence to believe that your data have been misused.” Data can first be misused months or even years later. A company’s attempt to downplay the seriousness of a breach in a misguided attempt to protect their reputation may lead to people not taking steps to protect themselves from the increased risk they now face.
- Set up a dedicated phone line with trained professionals to assist people who want to call for more information or help. Have the phone line open on evenings and weekends for the first month after the notification.
- Post a notice on your web site with a prominent link from the home page.
- Don’t be afraid to talk to reporters or bloggers. While we are out to get the story and details, don’t assume that whatever we write will hurt your reputation. If you’re handling things well, you might even wind up with positive press.