How To Handle A Data Breach Crisis

‘Crisis’ is not a word that sensible people like and, if possible, is best avoided altogether. But let's imagine that you cannot avoid crisis and one day it ambushes you when you least expect it. Despite all of your best planning efforts, despite your increased security measures and your whole team becoming cyber aware about the most common threats, you have been hacked and data has leaked.

When crisis strikes there is only one thing to do, manage it properly.

It ain't about how hard ya hit. It's about how hard you can get hit and keep moving forward. How much you can take and keep moving forward. That's how winning is done!” ― Sylvester Stallone, Rocky Balboa

Rule Number One: Don’t Panic & Reassure Your People

When you discover that your business has fallen victim to a cyberattack, the very first thing that you should do is remind yourself not to panic. This is sometimes easier said than done, especially when everyone around you is panicking and some of your customers are aware, but you should sit down and very carefully think about how you will manage the crisis before acting.

The first step is to reassure your people by letting everyone who immediately notices the incident know that you have a proper Cybersecurity Crisis Management plan in place and that your business has prepared for this crisis event.

Reassure the people around you that your business has a plan and will follow established best practice when it comes to managing the fallout of the cyberattack and data breach, it will buy you some time to think, breathe and carefully think through your next steps. It will also calm your people down.

Rule Number Two: The Whole Truth & Nothing But The Truth

The whole truth and nothing but the truth may sound like something you would hear in a court of law and you should start acting as if you were in a court of law and carefully consider the legal fallout of the crisis. Immediately start engaging with the legal obligations that have just pounced upon your business proactively before they engage with you.  Your cybersecurity and subsequent data breach mean that your business is now subject to the statutes contained within your states data protection/breach act and that you have some legal obligations to attend to.  

Don't panic, if you get this part right the force of the law will work in your favor and help you recover from the crisis, just try and get it right is my advice.

a) Contact your local police or Sheriff's department to report the incident.

b) File a complaint with the FBI’s Internet Crime Complaint Center.

c) Collect and keep any evidence related to your complaint.

If your business has a presence or customers in the European Union (EU), then you need to be aware of the General Data Protection Regulation (GDPR) and its data breach reporting requirements. When it comes to the subject of data breaches, one of the key provisions in GDPR is Article 33 or the mandatory 72-hour breach reporting requirement, which dictates that in the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and not later than 72 hours after having become aware of it.”  

Get these things right and your legal obligations are almost fulfilled, all you have to do now is find an external partner who can help you with the forensic investigation, audit and breach remediation. This may not be a big deal at all, especially if your breach involved a member of your team's laptop becoming infected with ransomware that is constrained to the individual machine. But if the breach involves the personally identifiable information many individuals, you absolutely have to take all of this very seriously and bring in contractors if necessary.

Rule Number Three: Promptly Notify Those Affected

Nobody likes being the bearer of bad news, but this is your time to shine and reassure the individuals affected by your data breach that you have a best practice plan, that you are working hard to limit the damage and that law enforcement authorities have been notified of the data breach in a timely manner. Despite all the obvious crisis, it is vital that your business is seen as calm headed, professional and in control of the events surrounding the crisis.

Ultimately notifying those affected is all about being transparent in letting the right people know when things go wrong and there are right and wrong ways to go about this.  Here are some good ideas for you to think about:

Draw Up A Plain English FAQ - Lots of security teams like to add a simply written notification FAQ to any breach notification they announce publicly and its always seen as helpful. A plain English FAQ is a good idea because your customers may not be lawyers or technically minded and they will appreciate being able to quickly read clear answers to their most basic questions about the incident.

Let Them Know You Have Brought In The Cavalry - Many security teams like to make clear that they have engaged the services of a third party forensic investigation team to help bolster their immediate response to a cyberattack and the subsequent data breach. Some like to mention the name of the security team or their parent organization, and others prefer to simply say ‘a leading cybersecurity organization’, either will work well as long as its true.

Let Them Know You Are Working With Law Enforcement - It is important to mention that you are working with law enforcement, you just need to be careful not to detail the status of the investigation, or divulge any meaningful information around the law enforcement response to your data breach. Typically law enforcement officers (LEO’s) will provide guidance on how transparent you can be about your case and around providing updates to your employees and customers.

The Devil Is Always In The Detail - Some teams like to be very specific when they talk about how they were attacked and how their organization was breached, but others are deliberately very vague with their language and you can understand how this could quickly become frustrating to your customers.  Sometimes you may not be able to talk about the details, especially if you are working with law enforcement, lawyers and private cybercrime investigators, the kind of folks who usually have good reasons for asking you not to divulge details. In general, it is important to be as specific as you can with your customers, but you do need to be very careful not to compromise trust or point the fingers at anyone in the process.

Take It On The Chin - Finding out that you have become the victim of a cyberattack can make your stomach drop and the notification process stings more than you thought it would. The way to handle this is to accept full responsibility and remember that this is a healthy part of your organization's healing process. The important thing to remember is that you have to take it on the chin and let those affected clearly see you take the punch. Nobody likes a person who shifts blame and avoids their obligations, we almost never tolerate it from those we are working with, so why would you expect the victims to tolerate your organization doing it?

Do You Have Customers In Other US States? - All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. If in doubt, consult the National Conference Of State Legislature website for the specific wording of each states breach notification laws and the obligations they place upon your business.

Whatever You Do, Don't Be Like Uber

While we are looking at what we should do right when it comes to data breach notification, we also need to look at others who did it the wrong way and there is no better example of that than Uber. They currently hold the world championship heavyweight belt for breach notification malpractice.

What Happened To Uber? - In 2016 it emerged that Uber had failed to publicly disclose a huge data breach affecting more than fifty-seven million Uber users and exposing more than six hundred thousand driver's license numbers. Uber covered it all up and paid off the hackers to keep it quiet, which is quite possibly the worst thing they could have done in this situation.

How Did This Affect Uber Legally? - This blatant cover up of a major cyberattack and subsequent data breach violated data breach reporting and data security laws in multiple countries and eventually prompted authorities in the US, Europe and APAC begin to take regulatory action against Uber on three continents at the same time. It doesn't get much worse than this.

How Did Uber Try To Cover Up The Data Breach? - Once Uber discovered the breach, instead of fulfilling their legal obligations, they conducted a private cybersecurity investigation to identify the guilty parties and eventually found them.

When Did Uber Eventually Disclose The Data Breach? - Uber’s new Chief Executive Dara Khosrowshahi disclosed the breach more than a year after the company was hacked under the previous CEO Travis Kalanick.  Khosrowshahi fired two of Uber’s top security officials when he announced the breach.

What Were The Consequences For Uber? - In September 2018 Uber made a legal and financial settlement with 50 US states and Washington DC, agreeing to pay $148 Million for failing to disclose the data breach and its subsequent cover-up, easily marking the largest settlement in privacy case history.

Whichever way you look at it Uber dealt with their cyberattack and the subsequent data breach badly, in quite possibly the worst way. The eventual disclosure mauled Uber, their reputation, their finances, their relationships with their customers and the trust of their drivers. It's just as well that Uber is a company with more than one hundred million users globally and a billion dollar war chest or it might very well have sunk them completely.  Whatever you do, don't be like Uber.

Be Prepared For A Crisis Before It Happens

When cybersecurity breaches happen, being prepared with a well thought out crisis management plan and knowing what to do next is half the battle. The real goal of a crisis management plan is to stop a cybersecurity incident from developing into a full-blown crisis situation and regain control of the situation if a cyberattack does target your business. Unless you carefully plan for it, a cybersecurity incident can easily escalate into a full-blown legal and financial crisis.

In crisis management planning, the goal is to establish strategies and procedures that your people can stick to before, during, and after a cybersecurity crisis.

In order to be ready for a cyberattack when it happens, you need to be constantly monitoring the potential threats to your business, you need to start building an internal crisis management team so that you are ready as a unit and finally you need to make sure that the necessary resources are ready when you need them, when disaster strikes and a real crisis occurs.

Assemble A Crisis Management Team - Avoiding a cyber crisis is all about taking a broader view of crisis management so that you can properly manage a cyber incident before, during, and after the event unfolds. Effective crisis planning involves a coordinated response from multiple departments (operations, compliance, legal, public relations, marketing, HR and finance) and draws upon skill sets from across your business when a cybersecurity incident occurs.

Develop A Crisis Management Plan - Your crisis management team needs its own cyber crisis playbook, basically a complete guide to the important actions that should be taken in the event of a cybersecurity incident. Your response teams cyber crisis playbook needs to include specific and well thought out cybersecurity attack scenarios including web page defacement, theft of company hardware, a DDoS attack, as well as the obvious data breach and data leakage scenarios.

The reason that all of this cyber planning is important is because it prepares your organization to respond to specific threats and it also trains your people to handle cyber incidents in a way that limits the financial impact and reputational damage to your business. The crisis management team must go beyond a technical response and communicate with the entire organization, from the top down, so everyone is aware of what they need to be doing. It is also important that these training steps and other associated activities are rehearsed on a regular basis using live drills to make sure that your crisis management team delivers a smooth and effective response when a cybersecurity crisis knocks on your businesses door.