Data on 70 million customers stolen, 76 million accounts affected, 44 lawsuits filed, 1.1 million customers exposed, 7 million business accounts compromised. That's just some of the alarming damage done by data breaches at Target, Home Depot, Nieman-Marcus and JPMorgan Chase in 2014. And the fallout didn't stop at those numbers. The year that can be viewed as the one where IT security finally got taken much more seriously by upper management was also characterized by C-suite shake-ups, security department reorganizations, lawsuits, high-level pink slips, disappointing financials and plummeting customer confidence. In other words, data breaches caught the attention of, well, the world – as did the way they were (and were not) handled.
But it was the revelation before Thanksgiving when Sony Pictures was crippled by a breach that derailed the company's operations for a full week that eclipsed other major hacks, and served as a lesson to Corporate America on how not to handle crisis communications by bungling relations with key stakeholders (e.g., employees, former employees, creative talent, theater owners) and damaging reputation nearly every step of the way (see sidebar, page 23).
“How to communicate publicly is as important or more important in crisis situations,” says Jim Haggerty, CEO of Crisis Response Pro, a web-based entity for crisis and litigation communications whose clients include several financial firms that have had breaches in the past year. “There's a sense in crisis situations that communications is the icing on the cake, it's what you do after everything else. My view is communication is the cake.”
Ron Green, MasterCard's executive vice president and CISO, agrees. “Communications is usually the last thing that you've thought of,” he says. “But it's the first thing the public – your customers, your clients and your investors – are going to see. You have to prepare and engage not just what you're going to do from the security side; you have to know what you're going to do from the communications side, and have prepared messaging.”
OUR EXPERTS: Federal breach law
Ron Green, executive vice president and CISO, MasterCard
Steven Grimes, partner, Winston & Strawn
Jim Haggerty, CEO, Crisis Response Pro
Tom Kellerman, chief cybersecurity officer, Trend Micro
John Otero, security consultant; former lead, New York City Police Department's computer crime squad
Eric Warbasse, senior director, financial services, LifeLock
Typically, an organization's IT security staff will handle incident response, but the responsibility and effort can't just lie with that team, Green points out. “Security for a company is not just the security team, it's the whole company,” he says. When it comes to executing that crisis plan, people must be sure what their role and their position is, and what they should be doing, he adds. “You should always prepare like [a breach is] inevitable.”
Security consultant John Otero, who formerly led the New York City Police Department's computer crime squad, cites the reverberations felt by top management everywhere following the Target CEO losing his job after mismanaging the retail chain's breach and the “black eye” the retailer suffered.
In the wake of siphoned employee personally identifiable information (PII) and customer credit card numbers or passwords, companies need to be prepared with credit monitoring or identity protection services, notes Eric Warbasse, senior director, financial services for LifeLock, a Tempe, Ariz.-based provider of identity theft protection.
Further, public statements should not speculate as to the responsible party. Hacked companies with potential regulatory enforcement exposure especially “need to be extremely careful about what they say and ensure what they issue publicly is accurate,” points out attorney Daniel Fetterman, a New York-based partner with Kasowitz Benson Torres & Friedman, a national law firm primarily focusing on complex commercial litigation, and a former federal prosecutor and trial lawyer.
“In the rush to publicly get out a positive, reassuring story to make stakeholders feel better, companies should proceed cautiously and be careful not to get it wrong,” says Fetterman.
The consensus of our experts it that it behooves organizations to have top management, legal, IT security and PR work together on a message that strikes the proper balance.
“You need to reassure the public that you have control of the situation,” says Haggerty at Crisis Response Pro. “Data breaches are becoming so common that they resemble product recalls in the auto industry, whereby a system or structure comes into play for proper notification when something happens.”
Davia Temin, a marketing, media and reputation strategist, crisis manager and CEO of Temin and Company, a boutique management consultancy focused on reputation and crisis management, says technology experts often urge delaying the initial announcement until the security folks have had time to learn more and maybe try to trace the culprit. “But that's at odds with the public wanting to know the minute that their information may have been compromised,” she says, adding that the public has an expectation to know as soon as possible so they can change passwords, etc. Temin advises clients to communicate that: “We don't know the total parameters yet, but we know we had a breach. We're doing everything humanly possible to close it and understand the magnitude of it. And we'll be in continual contact with you.” In this day of social media and immediacy, if you wait, it looks like you're stonewalling the truth, she says.
MasterCard's Green agrees. “If you're not confident about the information you're going to present, you shouldn't present it. Let everyone know you're aware of it and are working diligently on it,” he says.
As far as the legal ramifications, there's quite a difference of opinion about whether a breached company must follow law enforcement's lead on when information can be released to the public.
Tom Kellerman, chief cybersecurity officer of Trend Micro, a developer of security solutions, advises breach victims to ask the FBI and Secret Service, based on the stage of their investigation, when to notify the public.
Not all experts agree with that strategy. Jonathan L. Bernstein, president of Bernstein Crisis Management, says waiting for the FBI or Secret Service before saying anything publicly doesn't make sense. “I've worked on a lot of these,” he explains. “The FBI will always make that request, but the FBI is not responsible for protecting the reputation of the organization. The FBI doesn't particularly care about the reputation of the organization. So the FBI's request is the same as a lawyer who says, ‘don't say anything because you're risking liability.' You have to look where is the biggest liability: court of law or court of public opinion.”
Attorney Steven Grimes (right), a partner with the Chicago law firm Winston & Strawn, says it's a case by case determination whether a hacked company will wait to hear from the authorities before telling the public anything. Litigation, he adds, is a very likely outcome.
Hacked companies need to keep in mind various legal ramifications, such as the Federal Trade Commission (FTC) and states' attorneys general bringing lawsuits, respectively, for their failure to provide adequate security measures and failure to report in a timely fashion in violation of data breach notification laws, Grimes points out.
Ideally, attacked companies are working with a proper crisis response plan. “That doesn't always happen,” he admits, noting that many companies don't reach out for outside legal help experienced in this area until later in the game, while in-house counsel didn't have the required level of coordination.
MasterCard's Green adds that listening to the authorities makes sense so as not to say anything that's going to upset or derail their investigation. “When you make your notification, you have to think about what you're going to provide,” he says.
Temin knows a CEO of a retailer who, after a hack, considered his biggest mistake was not that he didn't get better systems or pay attention to vulnerabilities more closely early on. It was that he didn't come out quickly enough.
Trouble for sony: The new poster child for breach crisis
In a Nov. 25 statement, Sony Pictures announced it was investigating “an IT matter.” Since then, the hack has proven that fact can be stranger than fiction – even in Hollywood.
That Sony Pictures did not anticipate vulnerabilities after producing a movie antagonistic to a volatile government should cause all organizations to pause and reassess whether they're prepared for such a worst-case scenario.
Obviously, Sony's biggest failure was not protecting its intellectual property (including unreleased movies) and personal data (including employee PII and health records), especially in face of a 2011 hack of the PlayStation Network affecting consumer data of 77 million users. As class-action lawsuits pile up, a source familiar with Sony says its insurance would cover losses associated with “incidents like this.”
Only time will tell whether the company will be able to defend itself given the assertion by Mandiant CEO Kevin Mandia, “This was an unparalleled and well-planned crime, carried out by an organized group, for which neither Sony Pictures Entertainment nor other companies could have been fully prepared.”
That Sony was so unprepared is curious considering that Sony Corp. general counsel Nicole Seligman – in charge of the company's information security – has sat on the Council on CyberSecurity Advisory Board since 2013.
It wasn't until Dec. 15 that Sony Pictures posted a message on its website for current and former employees and dependents that the company learned on Dec. 1 that their health PII may have been compromised.
“[Sony] was slow in communicating, and it didn't reflect an adequate level of compassion for the people who were the victims,” says crisis manager Jonathan Bernstein. “This is Crisis Management 101. It's very basic stuff how to avoid getting yourself in trouble in the first place.” He notes government officials consulted with the company back in June about problems likely to arise with the release of The Interview. Its response: slight edits and changing the label from Sony Pictures to Columbia Pictures.
A Sony spokesman denied a published report that the company was warned in June by the FBI that it might be vulnerable to a retaliatory hack.
Bernstein considers Sony to be the biggest example of corporate incompetence in terms of reputation management. “If they were being graded, I'd give them an F in the crisis prevention category. And crisis response was mediocre at best.” – Larry Jaffee