SAN FRANCISCO -- Message to chief security officers: To preserve your job and the company's reputation in the face of a data breach, now is the time to take action. In fact, the following items are your best bet:
- A detailed response plan describing who's in charge of any internal investigation, which law enforcement agencies to contact and when, and how to deal with the media;
- Robust computer record keeping so the company can quickly determine if an attack occurred, who might be responsible and how much data was compromised;
- A good relationship with local, state and federal law enforcement;
- A personal lawyer, because the company's lawyers won't necessarily be looking out for your interests.
And when it's time to publicly disclose what happened, a detailed and truthful explanation is a must.
That's the advice experts offered during an RSA Conference panel discussion Tuesday on how to handle a data breach. The panel was moderated by Richard Baich, the former ChoicePoint CISO who found himself in the eye of a media maelstrom two years ago after the company disclosed that conmen stole 145,000 ChoicePoint consumer records by setting up fake-business requests.
During the session, Baich set up a mock scenario in which the CSO of a multi-million dollar VoIP company formed by a series of acquisitions and mergers learns of a possible data breach. From there, he asked the experts how they would respond to a variety of issues.
"The media has a tremendous thirst for information," he said, adding that the company must deal with how to disseminate information in a way that's measured but not underplayed. "Good news must travel fast, but bad news must travel faster."
But to deal effectively with law enforcement and the media, the CSO would need detailed records of everything from network activity to expenses incurred while dealing with a breach, said Jeffrey Ritter, a legal expert and director of Reston, Va.-based Waters Edge Consulting. "My advice is to keep detailed records and be prepared to bring everyone in on a Sunday night," he said. "You also need detailed records for law enforcement. The more you can tell law enforcement about what happened, the more interested they'll be in your case."
Daniel Larkin, chief of the FBI's Cyber Initiative and Resource Fusion Unit in Pittsburgh, agreed that an ability to utilize existing relationships with law enforcement officials would be critical at the start of an investigation.
"You really want to have a relationship with law enforcement," he said. "Law enforcement is your friend and can help."
Panelists were less unified when asked about the right timing for going to the media.
Steven Blinn, president and CEO of BlinnPR, said if he were the public relations officer at the hypothetical organization suffering a breach, he would advocate going public immediately.
"PR and law enforcement will butt heads on this," he said. "Law enforcement may tell you to keep quiet and the PR side will disagree."
Larkin noted that there are cases when law enforcement might want to keep the breach under wraps in the beginning, particularly if they have a lead on the culprit and the timing of an announcement could potentially compromise an arrest. But, he admitted, instances like that are increasingly rare.
Baich noted that internal and external investigators might also be wary of rushing out a public announcement because it may not be clear exactly what happened.
"If you're struggling with the facts, how do you decide when to declare?" he asked the panelists.
Blinn said the company doesn't necessarily need to go public after two hours, and it may be appropriate to hold off for about 12 hours. But, he said, waiting weeks to go public could cause additional damage to the company's reputation.
Whatever the timing of a public announcement, the panelists agreed the best approach is to be as detailed and truthful as possible.
"You simply say 'this has happened, and this is what we know so far,'" Blinn said.