The dos and don’ts of crisis communications after a cyber attack


Photo courtesy of elidr on Flickr

Photo courtesy of elidr on Flickr

Rob Swystun, Pristine Advisers

Let’s jump off the activist investor bandwagon for a moment and talk about something much more pleasant … no, wait. My mistake, this is just as unpleasant.

Exactly how unpleasant are cyber security breaches? Well, we can actually quantify that, using some numbers from a Larry Jaffee article for SC Magazine.

  • Data on 70 million customers stolen
  • 76 million accounts affected
  • 44 lawsuits filed
  • 1.1 million customers exposed
  • 7 million business accounts compromised
  • And much much more

Those rather large numbers are from data breaches at places like Target, Home Depot, Nieman-Marcus and JPMorgan Chase & Co. this past year.

Customers were not the only ones affected by these breaches, as Jaffee points out. You don’t see that kind of security failure without consequences and those consequences came in the form of upper level sackings, lawsuits and poor financial performance from the companies affected.

The most egregious example Jaffee holds up of a lapse in security — and how not to handle that lapse — is the one that befell Sony Pictures due to its planned release of its production The Interview.

Among the things Sony did wrong when dealing with its cyber security breach related to the release The Interview, Jaffee lists:

  • Did not anticipate vulnerabilities after producing a movie antagonistic to a volatile government (Don’t be fooled by Kim Jong-Un’s cuddly exterior.)
  • Did not protect its intellectual property
  • Did not protect personal data of employees
  • Did not learn from a 2011 hack of the PlayStation Network affecting consumer data of 77 million users
  • Did not release a statement to current and former employees warning them their personal health information had been compromised until Dec. 15, even though they learned about it on Dec. 1
  • Did not heed warnings from government officials in June about problems likely to arise with the release of The Interview

The beauty about mistakes, though, is that we can learn from them (this is an especially beautiful thing when they are others’ mistakes).

So, let’s not let Sony’s misfortune go to waste. Let’s plow it for tidbits about what to do and what not to do during a major IT crisis.

Don’t Handle the Communication Last

Let’s start off with the key to all good communication: cake.

Here is just about the greatest quote I’ve ever read about communication: “How to communicate publicly is as important or more important in crisis situations. There’s a sense in crisis situations that communications is the icing on the cake, it’s what you do after everything else. My view is communication is the cake.”

That was Jim Haggerty, CEO of Crisis Response Pro. The man knows crisis communication and the man knows cake.

Communication, as MasterCard‘s executive vice president Ron Green says, is often the last thing that a firm thinks about during a crisis, but it is the first thing the public, customers and clients and other stakeholders see during the crisis.

So, you need to know what you’re going to do from the communications side just as much as from the security side. Have some generic messaging prepared that you can easily alter for the specific situation at hand that you can get out quickly.

Don’t leave it all up to one department

When it comes to IT security breaches, an organization’s IT security staff will usually be the ones to handle the incident. But, Green says, the responsibility and effort lies with the entire organization.

Everyone must know their role during a crisis so they can do their part in executing the crisis plan. And organizations should prepare for a crisis like a breach is inevitable.

Do be prepared with the right services

A data breach usually means people’s personal information has been stolen. Whether that’s employees’ personally identifiable information or customers’ credit card information, companies should be prepared with credit monitoring or identity protection services. This advice comes from Eric Warbasse, senior director of financial services for Tempe, AZ-based LifeLock, which provides identity theft protection.

Don’t speculate publicly about the culprits

Statements released to the public should not speculate about who is responsible for the breach and this goes doubly for companies with potential regulatory enforcement exposure, says attorney Daniel Fetterman, a New York-based partner with Kasowitz Benson Torres & Friedman.

There is sometimes a rush to get out a positive, reassuring story to quell any panic among stakeholders. However, companies should be careful not to release any incorrect information in their rush to get a message out.

Fetterman says the company’s top management, legal team, IT security staff and PR staff need to work together on a message that strikes the proper balance of positivity and confidence while ensuring all the facts are correct. (In other words, try not to act like the media.)

Since data breaches are becoming as common as auto industry recalls, Crisis Response Pro’s Haggerty says, it’s imperative to reassure the public that you have control of the situation. This is best accomplished with a system or structure in place for proper notification when something happens.

Don’t wait to get a message out

Getting a message out quickly is the reason you have a system in place and have generic copy ready to go that can be tweaked if necessary.

While technology experts often urge delaying an initial announcement until the security team has had time to learn more about a breach and possibly even find out who is responsible, that is the exact opposite of what you should do, according to Davia Temin, CEO of Temin and Company.

Customers fully expect (and deserve) to know as soon as possible if their information may have been compromised so they can start changing passwords, cancelling credit cards, etc. This is 2015 and information travels in the blink of an eye. If you haven’t made an announcement, someone else might beat you to it on social media and then the situation is going to look even worse.

A simple, generic statement that would be handy to have prepared, suggests Temin, would be something along the lines of:

“We don’t know the total parameters yet, but we know we had a breach. We’re doing everything humanly possible to close it and understand the magnitude of it. And we’ll be in continual contact with you.”

Do be cognizant of the legal ramifications (but don’t think you have to follow all law enforcement requests to keep quiet)

Not everyone involved with cyber security agrees about whether you should hold off on saying anything until you’re given the green light from law enforcement.

Chief cyber security officer of Trend Micro, Tom Kellerman is in favor of asking the FBI and Secret Service when to notify the public. However, president of Bernstein Crisis Management Jonathan L. Bernstein rightly points out that neither the FBI nor the Secret Service are responsible for protecting the reputation of the company and answering to its customers and clients.

“The FBI’s request is the same as a lawyer who says, ‘don’t say anything because you’re risking liability’,” Bernstein says. “You have to look where is the biggest liability: court of law or court of public opinion.”

Attorney Steven Grimes, a partner with the Chicago law firm Winston & Strawn, takes the diplomatic approach and says whether you decide to heed law enforcement’s request or not should be decided on a case-by-case basis. He does warn, though, that litigation could very well happen, such as the Federal Trade Commission and states’ attorneys general possibly bringing lawsuits against companies that have experienced cyber security breaches for failure to provide adequate security measures and failure to report in a timely fashion in violation of data breach notification laws

Grimes recommends that companies also reach out for legal help from firms who are experienced with handling this type of breach sooner rather than later if their in-house counsel is inexperienced with them.

By learning from Sony’s egregious errors, all companies can be better prepared to handle major breaches. Don’t think you’re too big to be vulnerable or too small to fall victim. Be prepared, do some dry runs and make sure everyone knows their part. And don’t leave the communication element for last. It’s the cake, people. It’s the cake!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s