Here’s a CEO’s nightmare for the 21st century: You get a 2 a.m. call from your IT chief. There’s bad news — and there’s worse news.
The bad news? A hacker tapped into your data warehouse and obtained thousands of customers’ credit card numbers.
The worse news? You may have to notify authorities and customers within 72 hours. That is, if CNN doesn’t break the news first.
A virtual breaking-and-entering to your electronic information resources is a vortex that demands a lot of resources, as companies like TJX have discovered. However, a hacker halfway around the world is only one way that sensitive information may get compromised.
As companies share and exchange customer information as part of their daily operations, the risk for breaching proprietary or personal data rises. In fact, every type of business or institution experiences data loss each year — universities, hospitals, government agencies, banks and more.
Some common ways data may be compromised include the following:
- Failing to secure Web-accessible computers containing names, addresses, Social Security numbers, credit card numbers, medical records or other information;
- Lost or stolen laptops and data storage media (flash drives, hard drives, backup tapes) with unencrypted customer records, billing records or patient information;
- Failing to “clean” computer hard drives and other media before disposal; and
- Sending notifications or other documents with Social Security numbers, financial information, patient diagnoses or other personal information to the wrong person by mail, e-mail or fax.
In the past few years, well-publicized information security breaches spurred an increase in legislative and regulatory activity at federal and state levels throughout the United States. These laws and regulations may include notification statutes.
So, in a data crisis, you really have two big problems on your hands: First, how to fix it; second, how, when and to whom to talk about it.
Steps to Take
Here are key steps to take if you suspect or know that sensitive customer information has been compromised. At the very least, you’ll need a cross-functional team representing management, IT, legal, public affairs/communications and customer relations to make it through these steps — all of which may be happening at the same time.
Define the incident internally. This sounds like a no-brainer, but misinformation spreads more quickly than truth. Prevent the spread by systematically evaluating and defining the incident as soon as possible. Describe the information that was compromised (for example, customer name, birth date and credit card number).
Identify where that information was kept by labeling which systems, hardware and software were breached. Was the data accessed in an electronic format, a computerized system or a database? Was a computer, hard drive, flash drive or other data storage medium lost or stolen? Or did the disclosure occur on paper? Detail how the data was kept. For example, was it encrypted? Behind a ironclad firewall?
Finally, quantify and qualify the impact. How many persons or customers are affected? In which states do they reside or operate? For example, if an employer is assessing the impact of compromised personnel information, are the affected employees or former employees working in one state but residing in another?Know the rules. What statutes and regulations govern your organization’s activities and the information security breach at hand?
If your organization is a financial institution, processes patient medical information or participates in highly regulated industries, compliance with the appropriate federal, state and other requirements governing your industry is required.
In other organizations, such as private employers, retail stores and online businesses, your team should assess which federal and state laws apply to your particular entity and the specific event that has occurred.
As of January, more than 35 states have enacted security breach notification statutes. In most information security breach incidents, state law will apply in addition to certain federal requirements. Many state notification statutes are modeled upon California’s notification statute, but each state has added its own particular requirements.
Among the nuances are different definitions of what information disclosures require notice; different types and means of notification (electronic, written or verbal); whether law enforcement must be notified; and any penalties for non-compliance.
For example, some states require that you notify any resident of the state whenever any sensitive data is compromised, regardless of whether the breach involved electronic databases. Other states require a notice only when computerized or electronic information has been accessed. Timing and enforcement authorities also vary.
Assess your contracts and obligations. In addition to federal and state law, your company likely has contracts containing notice requirements, confidentiality provisions and other provisions impacting your handling of a data crisis. Depending on the contract language, these provisions may require notice when a breach has or may have occurred.
Here’s something else that’s tricky: Your customer contracts and agreements may include terms that require you to comply with statutes or regulations that normally apply to their businesses only. These requirements are common in contracts with the healthcare industry, government agencies, education and others.Evaluate, prepare and prevent. As you sift through what happened, start asking what you can do to prevent it from happening again. Yes, you have your hands full with solving the crisis at hand. Review your information management procedures and policies. Study the facts of the current incident to determine what should change.
To paraphrase Gartner’s information security experts: Are you keeping the bad guys out? How do you let the good guys in? And, are you keeping the whole system running well? As you answer these questions, you are building your plan for communicating with customers, regulators, media and authorities about the whole situation — which brings us to the final step.Communicate. With all the information from these steps, you’ll have everything you need to execute a communications plan to notify affected persons and other relevant parties. If you are required to issue a specific notice by statutory, regulatory or contractual requirements, develop the notice in accordance with such requirements.
Some statutes or regulations require a written notice; others permit telephonic or email notice. In addition, most statutes require the notice to contain specific information including a description of the nature of the breach, what steps your organization has taken to address the current incident, and the steps your organization is taking to reduce the chance that similar breaches will occur again.
Recently, some companies have offered assistance such as victim assistance hot lines or free credit monitoring services.
When a large number of individuals are affected or if compliance with notice requirements is extremely costly, some states permit issuance notice via alternative formats such as press releases, Web sites or other publication through media outlets.
Finally, before sending your notices, train the employees who will come in contact with affected persons on appropriate assistance and response to inquiries.
Whew! If this list seems like a lot to do in a short time, it is. So, in short, plan for an information security breach before it happens. Identify your crisis management team, update your policies and review your information management practices. As many have found, it’s not a matter of whether your organization will face an information security breach — but when and how you handle it.
Cheryl Burtzel is a partner at the law firm McGinnis, Lochridge & Kilgore. E-mail her at[email protected].