In the years that I have been helping companies deal with data breaches, some things have changed. Mainly, the size and volume of the breaches, the severity of their impact, and the extent of the damage to consumer trust, together with the pioneering of class-action lawsuits against name-brand companies like Honda, Sony, Ameritrade, and Aetna in connection with alleged data breaches.
In recent days, we've seen hits on Citibank, payroll service company ADP, the International Monetary Fund, the CIA, Nintendo, defense contractor Lockheed Martin, and of course, Sony Playstation, where an alleged breach compromised the personal data for roughly 100 million customer accounts, reportedly costing the company in excess of $170 million. If anything, the pace of attacks is accelerating. Yet preparedness in most companies whose systems hook into the Internet, essentially everybody, continues to lag.
The most basic tool is having a crisis management plan in place that covers the risk of a breach. In practice, a data breach generally requires the skill and cooperation of security, legal, audit, and communications professionals working as an integrated team able to report and make recommendations promptly to the CEO and board of directors. Having protocols developed ahead of a breach will help. These guidelines need to include scenario planning and, ideally, simulations, so that those involved have been through the drill to see what works and what does not ahead of an actual crisis.
Communications also need to take place in a sequenced fashion with relevant government officials, customers, business partners, service providers, such as payments processors and financial institutions, and one's own employees, potentially in multiple countries. Questions and answers and fact sheets regarding the breach will be needed (often with little time to prepare them), along with the elements of a mitigation plan to protect those who are now at risk. Doing this on the fly is a poor way to protect a company's reputation with the people who are most important to its future.
Despite the best planning efforts, every breach is unique, and no set of scenarios is likely to anticipate each element of an actual crisis.
When a crisis hits, you can't assume you will have all the information you need, that the information you think you have is accurate, that you will be able to get that information to your key people in time, or that the external environment will be sympathetic to the situation. Things will go wrong.
Given this reality, a company should have someone “in charge” of data breaches ahead of time to act as the fulcrum for managing a crisis. Usually, this will be the general counsel or a designee. But as lawyers take over, it's vital to accompany the legal decisions with an internal and external communications plan.
What is said, and when, will have a substantial impact on how the breach is perceived by everyone affected, from regulators and attorneys general to employees, customers, and plaintiffs' lawyers. A communications professional should be integrated into the team from the outset, and knowing what will be said to whom should be as essential as getting the actual breach plugged.
Jonathan Winer is a former U.S. deputy assistant secretary of state for international law and 20-year veteran in information security. He currently serves as senior vice president at APCO Worldwide.