Recovering From a Data Breach is Like Recovering From a Skunk Attack. No Matter Where or When You Go in the House the Stink Still Clings

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.business2community.com/crisis-management/recovering-data-breach-like-recovering-skunk-attack-matter-go-house-stink-still-clings-01058960

Recovering from a data breach is like recovering from a skunk attack.  No
matter where or when you go in the house the stink still clings.

Consider Sony’s Playstation data breach in 2011.  It took until July 2014
for the dust to start to settle on this one.  That’s when Sony offered a
$15 million court settlement to U.S. users of its PlayStation Network
(PSN).  When the network was hacked three years before, the personal
account information of 77 million users was exposed in one of the largest
data breaches on record.  It didn’t help that it took months after the
incident for all PSN gamers to get back to blasting bad guys and
obliterating ogres.  In the meanwhile, Sony took a heavy financial hit.

That same year, in June 2011, Citigroup announced that hackers had acquired
the personal information of 200,000 credit card holders.  The settlement
for that one wasn’t offered until 2013 when the company revealed that the
breach actually exposed more than 360,000 North American Citi-issued
customers’names, account numbers and contact information.

Given the sheer terror a data breach unleashes, it’s not surprising that
corporate victims focus their attention and resources on finding out how
the breaches occurred and what security holes they have to plug.  But what
about the communications side of things?  What should they be saying to
consumers who are scared and angry about effects of the breach while they
are working on the fixes?

Start with “We’re On It”–As with any crisis, the first thing your target
audience wants to know is that you’re aware of the situation and that
you’re on it.  A simple statement that comes as soon as you are aware of
the breach goes a long way towards muting initial panic.  This initial
response doesn’t need to go into a lot of detail about how many were
affected, what was hacked and how it happened.  Chances are you won’t know
that, so it’s best not to commit at that time.  A simple message that
doesn’t over-reach beyond what you know is best.

Tell your story promptly– Share verifiable facts quickly as they come in.
Your goal is to get control of the message and put yourself out there as
the most up-to-date source of accurate information.  If you don’t, tweets
and retweets will put forth their own theories about the reason and extent
of the attack.

We recently worked with a client whose ex-employee spewed forth his
theories about “foreign agents”hacking into their database.  While untrue,
his story was so intriguing that both the twittersphere and even a local TV
station showcased his take on things. Had the organization taken control of
the rumor mill earlier, they could have put out the truth, which was that
had verifiable proof that there was no breach.  Instead, a vindictive
ex-employee’s ravings took center stage first and we had to play catch-up
afterwards.

Tell it all ways – Keep the public and stakeholders in the loop as you move
your investigation forward using traditional, on-line and even paid media.
One caveat here: Social is only useful if you already have an active
presence.  Starting a Facebook page or twitter account during a crisis is
fruitless.

Whether or not you’re active on social, your website needs to be THE source
for the latest on the breach.  We suggest you showcase information on the
site in three places: Prominently on the home page, as the number one item
in your news section and on a dedicated landing page that addresses the
breach.  Target’s landing page is still active almost year after the
retailer was breached during the 2013 holiday season.  Ten months later,
the company still updates it, advising: “Visit this page for regular
updates and reliable information about our data breach, including all
official company communications.”  By the way, it took a while for Target
to get control of the story originally.  The news media were all over it
for 24 hours before they addressed the breach.  In the interim, breach
victims were unable to reach Target’s call center or website and angry
customers went to the company’s Facebook page to express their frustration.

Protect the victims- Many states have legislated how companies must react
to breachs in terms of both communications and customer protection.
Whether or not your state requires it, we advise offering free credit
monitoring as the first step to rebuilding customer trust.  In addition,
reassure those victims by delivering ongoing updates about what you’re
doing to protect them. Those communications should also showcase what
you’re doing to prevent similar attacks in the future.

Put on your Big Girl (or Big Boy) Panties and apologize–Corporate arrogance
or legal considerations may put the brakes on any kind of apology.  This is
a bad idea.  Craft an apology that acknowledges the impact of the breach on
its victims.   Demonstrate concern and compassion for what they are going
through with an eye towards your attorneys’ (well-founded) concerns about
future litigation.  As we advised another client going through a
gut-wrenching crisis: “We’re not suggesting you should say ‘We’re sorry we
killed her.’  We’re suggesting you say, ‘We’re sorry she’s dead.’”

Remember it ain’t over when it’s over –Once your security geniuses and IT
gurus have done their investigation and fixed any flaws, there’s a tendency
to think you’re done.  You’re not.  As we’ve seen in other data breaches,
the memory lingers on, bolstered by rumor, twitter and fear.  Nurture
victims well beyond the operational fixes.  Assure them that this is an
ongoing concern of yours and a legitimate concern of theirs.  Communicate
what you’ve learned, what you’ve changed and why you value their trust.
Acknowledge that their trust in you has taken a hit and assure them you’re
going to work to regain it.

Data breaches have the ability to deliver long-term reputation damage.
Demonstrating care, compassion and concern are important steps towards
reconstructing reputation and rebuilding trust.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!