Post-Breach Communication: Who, What, When

No organization wants to experience a network breach or similar security issue, but chances are pretty high that it will happen at some point. Once the unthinkable has occurred, good and effective communications will be essential to getting through the experience successfully. The middle of a crisis is no time to be trying to figure out who should say what to whom these details need to be established well in advance.
A recent survey by The Hartford indicates that most small business owners do not think they are at risk for a data breach. In reality, even if you have a good security program and maintain a great security posture, there is a high likelihood that your corporate network perimeter *will* be breached. When that fateful day arrives, there are two things that determine how ugly things get for you and your business: 1. How well your actual defenses are (how far the attackers got in, what they touched, when you identified the attack, etc) 2. How well you handle the post-breach communications (who you speak to, when and how you speak to them, who speaks to them, what you say, etc) You can be certain that people like planning for breaches almost as much as they like performing estate planning. The general feeling appears to be that thinking about a breach (or a will) will bring on their demise that much sooner, but the reality is that theres no better time than the present when it comes to preparing for either event. The difference between a dilemma and a crisis is all a matter of preparation.

Your Organizations Senior Management Team

As soon as you have determined that there is the strong possibility of a breach, you should notify your senior management team. This is to prepare them to speak to their board members, and for the potential communications they will have to make to the authorities and external constituents. From here on out, youll need to follow your in ternal incident notification procedures in terms of how often you update the leadership team, and who the points of contact are. A recommended update interval would be in the 30-60 minute range.

The Authorities / Law Enforcement

Depending on the nature and severity of the breach, you will almost certainly want to get the appropriate authorities involved. Your local police might have a special cybercrime unit that can assist, or speaking for the United States you might have to escalate to the local FBI office. The Federal Trade Commission (FTC) provides some other resources to contact.

Post Breach Notification: Who, What, When v2 Sep 2013

Page 1

The authorities should be contacted by your legal counsel or someone in your senior management team as soon as you know for sure that you have been breached. They will provide you with additional guidance, and may even provide some assistance in terms of conducting forensics. It is best to speak to the authorities in advance to determine who the right contact persons are so that the process is streamlined during the actual incident.

Critical Customers and Partners

Here is where it starts to get a little tricky. Your key customers and partners need to know that something is happening, but you dont want to talk before you have anything useful to say. In many cases, they might have this requirement for notification in your contract, or they may be entitled to it by local breach notification laws. Calling up key customers and saying I think weve been breached, but I dont have any details, is a sure way to lose key customers . It is important to balance speed with accuracy so that you can let them know as quickly as possible that a situation of a particular scope has occurred, and that it is under control. Dear Customer/Partner (this should be personally addressed): On XXXX, we determined that we had suffered an attempted network breach. We have been able to determine YYYY and are actively working with the authorities. At this time, there is no/some/major risk to your data. We have taken the following steps to mitigate the situation. (Name key steps.) We will continue to provide you with updates on a ZZZZ basis. For this group, it will be appropriate to update them 3-4 times a week for all but the most severe incidents. Be sure to provide actionable guidance in your communication and apologize for the inconvenience. Be proactive, not grudging, in your response, or you will adversely impact the relationship. This communication needs to come from a suitably senior member of the organization, and should occur via phone and snail mail at a minimum.

General Customers
Once you have ensured that your key constituents have been notified by phone, you will want to send out the letters and emails to everyone else. While it is important to notify everyone who is affected, you will want to have a priority conversation with those who are strategic to your organization first. For everyone else, they need to know what has happened and how it impacts them. Be ready to say what high-level steps have been taken (weve eliminated the weak point in our system and updated our procedures and tools to monitor/block more effectively), and provide them with some satisfaction regarding their ability to continue doing business with you. You can direct them to your website for more information as appropriate.

Post Breach Notification: Who, What, When v2 Sep 2013

Page 2

General Public
Whether or not you inform the general public is dependent on your industry and type of organization. If you are a public company, or if your organization provides internet based services, then you might need to let everyone know that something has occurred. Timing is important, because you dont want to stick something on the website and have key customers find out there before they are called. The less said, the better, but it should follow the same format as for general customers.

Communication Timeline Overview

Here is a suggested timeline of communication for each of the aforementioned groups Your Organizations Senior Management Team When: What: By Whom: How: Follow-up: As soon as you suspect a breach (within 1-2 hours, max) What you know about the breach so far, and when you found out Senior IT or Information Security Manager As directly as possible (in person, preferably) Every 30-60 minutes

The Authorities When: What: By Whom: How: Follow-up: As soon as you have confirmed the breach (within 12-24 hours, max) Everything you know about the breach Legal counsel or Senior Management (CEO/President) Typically by phone or other pre-established contact mechanism As directed by law enforcement (several times a week, generally)

Critical Customers and Partners When: As soon as you have verified the scope (within 1-3 days, max) What: That a breach has occurred; that the data is safe/unsafe; that the authorities are involved. By Whom: Senior Management (CEO, President, Executive Account Manager) How: As directly as possible (generally by phone and express mail) Follow-up: At least weekly (possibly more frequently in the very early stages)

General Customers When: What: By Whom: How: Follow-up: As soon as you have confirmed the breach (within 3-5 days, max) A high level announcement of the breach and cooperation with authorities. Senior Person responsible for corporate communications Generally via email and snail mail As information changes

Post Breach Notification: Who, What, When v2 Sep 2013

Page 3

General Public When: What: authorities By Whom: How: Follow-up: Depends on your organization and industry (within a week, if at all) A high level announcement about a potential attack and cooperation with Senior Person responsible for corporate communications Generally via email and snail mail As information changes

In general, be timely and concise, but provide useful information. The faster you contact the authorities, the more effective your other communication is going to be. While no one wants to have a week pass by without being informed that their data may have been vulnerable, most will be somewhat forgiving if your organization was working with law enforcement very early in the process. The first few weeks following a breach or major incident are among the most crucial for any organization. Taking the time to plan in advance who will be doing what communication and what the gist of that communication will look like will go a long way to handling a breach in a way that customers and innocent bystanders will respect.

Wrapping It All Up
When everything has been finally brought under control, and all the dust has settled, it is highly advisable to distribute a final communication to close out the matter properly. This will typically involve a high-level summary of the events that transpired, how they were addressed in the short-term, and any lessons learned that will be applied over a longer timeframe. This is a delicate, but essential matter, because it says a great deal about an organizations true level of transparency, and it has a more significant bearing upon its trustworthiness than almost any other type of statement or activity. Just as the true character of individuals is more readily highlighted in time of conflict or crisis than in time of peace, so too is the true character of an organization more clearly defined by its response to various crises. Here are some additional resources that will help you and your organization to formulate effective incident response and information security plans:

http://www.cert.org/work/coordinating_response.html http://www.vita.virginia.gov/security/default.aspx?id=317 http://technology.umw.edu/it-policies/incident-response-plan/ http://www.vita.virginia.gov/library/default.aspx?id=537#securityPSGs http://technet.microsoft.com/en-us/library/cc700825.aspx

Andrew S. Baker is the president and founder of BrainWave Consulting Company, LLC where he provides Virtual CIO services for small/medium businesses. See Andrew's complete social presence at XeeMe.com\AndrewBaker

Post Breach Notification: Who, What, When v2 Sep 2013

Page 4