Data on 70 million customers stolen, 76 million accounts affected, 44 lawsuits filed, 1.1 million customers exposed, 7 million business accounts compromised. That's just some of the alarming damage done by data breaches at Target, Home Depot, Nieman-Marcus and JPMorgan Chase in 2014. And the fallout didn't stop at those numbers. The year that can be viewed as the one where IT security finally got taken much more seriously by upper management was also characterized by C-suite shake-ups, security department reorganizations, lawsuits, high-level pink slips, disappointing financials and plummeting customer confidence. In other words, data breaches caught the attention of, well, the world – as did the way they were (and were not) handled.
But it was the revelation before Thanksgiving when Sony Pictures was crippled by a breach that derailed the company's operations for a full week that eclipsed other major hacks, and served as a lesson to Corporate America on how not to handle crisis communications by bungling relations with key stakeholders (e.g., employees, former employees, creative talent, theater owners) and damaging reputation nearly every step of the way (see sidebar, page 23).
“How to communicate publicly is as important or more important in crisis situations,” says Jim Haggerty, CEO of Crisis Response Pro, a web-based entity for crisis and litigation communications whose clients include several financial firms that have had breaches in the past year. “There's a sense in crisis situations that communications is the icing on the cake, it's what you do after everything else. My view is communication is the cake.”
Ron Green, MasterCard's executive vice president and CISO, agrees. “Communications is usually the last thing that you've thought of,” he says. “But it's the first thing the public – your customers, your clients and your investors – are going to see. You have to prepare and engage not just what you're going to do from the security side; you have to know what you're going to do from the communications side, and have prepared messaging.”
OUR EXPERTS: Federal breach law
Ron Green, executive vice president and CISO, MasterCard
Steven Grimes, partner, Winston & Strawn
Jim Haggerty, CEO, Crisis Response Pro
Tom Kellerman, chief cybersecurity officer, Trend Micro
John Otero, security consultant; former lead, New York City Police Department's computer crime squad
Eric Warbasse, senior director, financial services, LifeLock
Typically, an organization's IT security staff will handle incident response, but the responsibility and effort can't just lie with that team, Green points out. “Security for a company is not just the security team, it's the whole company,” he says. When it comes to executing that crisis plan, people must be sure what their role and their position is, and what they should be doing, he adds. “You should always prepare like [a breach is] inevitable.”
Security consultant John Otero, who formerly led the New York City Police Department's computer crime squad, cites the reverberations felt by top management everywhere following the Target CEO losing his job after mismanaging the retail chain's breach and the “black eye” the retailer suffered.
In the wake of siphoned employee personally identifiable information (PII) and customer credit card numbers or passwords, companies need to be prepared with credit monitoring or identity protection services, notes Eric Warbasse, senior director, financial services for LifeLock, a Tempe, Ariz.-based provider of identity theft protection.
Further, public statements should not speculate as to the responsible party. Hacked companies with potential regulatory enforcement exposure especially “need to be extremely careful about what they say and ensure what they issue publicly is accurate,” points out attorney Daniel Fetterman, a New York-based partner with Kasowitz Benson Torres & Friedman, a national law firm primarily focusing on complex commercial litigation, and a former federal prosecutor and trial lawyer.
“In the rush to publicly get out a positive, reassuring story to make stakeholders feel better, companies should proceed cautiously and be careful not to get it wrong,” says Fetterman.
The consensus of our experts it that it behooves organizations to have top management, legal, IT security and PR work together on a message that strikes the proper balance.
“You need to reassure the public that you have control of the situation,” says Haggerty at Crisis Response Pro. “Data breaches are becoming so common that they resemble product recalls in the auto industry, whereby a system or structure comes into play for proper notification when something happens.”