20 Apr When reacting to data loss, communication is the key
Editor’s note: A 2006 law requires Wisconsin businesses to notify customers when their personal information has been stolen.
When a company’s incident response team is faced with a potential security breach or data loss, there are myriad concerns to address. Many incident management plans address technical issues such as investigation, containment, and recovery. However, it is essential that each phase of the plan also cover communication – a key requirement for effective incident response.
The incident communication strategy must cover compliance-related issues, media communications, and internal communications. It also must strike a balance between openness and protection. Revealing more information than necessary could result in undue escalation or exposure of an exploitable weakness that has not yet been remedied. However, withholding information can cast your organization in a negative light and create the impression that you have something to hide.
Communication-related compliance issues
Following California’s SB 1386 in 2002, a majority of states have passed laws requiring disclosure of data security breaches. Understanding the legislation that is relevant to your organization and the impact it has on incident reporting should be a part of the planning process rather than a reactionary exercise during an actual event.
Beyond the chief security officer and the chief information officer, including an organization’s legal department or counsel on the incident response team is strongly recommended to help with these increasingly complex issues. Criteria to consider when interpreting legislation include the scope of individuals affected, the specific data types included, and the required method of disclosure.
There are few similarities among the various state laws, other than that they apply to agencies, businesses or individuals doing business in the respective states, and they require some form of notification in the event of a breach. Different states’ definitions of concepts such as “personal data” and “security breach” can vary widely.
Notification requirements vary as well. For example, Arkansas SB 1167 requires that consumers be notified of a security breach affecting data in electronic or physical form, while Florida’s HB 481 does not require notification “if after appropriate investigation or consultation with law enforcement, (the) person (responsible has) reasonably determined (that the) breach has not and will not likely result in harm to individuals.”
In addition, disclosure announcements and incident communications themselves must not create a violation of any regulation or privacy requirements – an astute spy can potentially take bits and pieces of seemingly harmless, unclassified information and deduce a state secret.
Handling the media
Establishing a rapport with media outlets is as important to incident response as a relationship with law-enforcement agencies. Your organization must be prepared for all levels of attention from local news to national wire services.
Advanced preparations for press releases, announcements, or disclosure statements should be coordinated with the business unit responsible for communications, such as public relations, marketing, or corporate communications department. Including a representative of this department on the incident management team is advisable; as a part of the team, they’ll be involved from the beginning of an incident, allowing them to personally witness the entire process and convey more complete information.
A dedicated technical liaison should be identified to assist with translation of detailed data into language that is clear and understandable by the intended audience – remember that a statement might not be reported in its entirety, and sound bites often are taken out of context creating far more damage than the incident itself.
Internal communication flow must also be addressed in the incident-management plan. This includes incident response team members, management, and the general employee base. Keeping people informed about facts surrounding the incident at the appropriate level and time and reminding them of their responsibilities to maintain the confidentiality of any related information can diffuse rumors or speculation. It will also help to minimize the risk of information being inadvertently released to outside entities, which could endanger an investigation or cause negative publicity.
Communication can make all the difference
An incident communication strategy that covers compliance related issues, media communications, and internal communications would ensure timely delivery of appropriate information to both internal and external stakeholders. A well-prepared and well-executed communications plan can make the difference between accolades from the public, the press, and colleagues, or seeing your organization’s name in negative headlines.
• State to end use of Social Security numbers for IDs
• DHFS to end practice of using Social Security numbers for ID
• Extracting and redacting: Is solution to state’s privacy fumbles right in its own back yard?
• Doyle asks Metavante to investigate state data breaches
• Mark Garsombke: Wisconsin identity theft law: A cheap plastic sword
The article previously was published in Security Magazine, and was reprinted with permission.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC.
WTN accepts no legal liability or responsibility for any claims made or opinions expressed herein.