For any organization experiencing a data breach, the organization’s response to the incident remains one of the most important and yet one of the most challenging next steps. In the following guest post, Paul Ferrillo, a partner in the New York office of the Greenberg Traurig law firm, examines the ways that an organization can respond well to a cyber incident. I would like to thank Paul for his willingness to allow me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Years ago, when describing a “bad news” event, it was common to describe the situation to your colleague as “right hand column, above the fold.” Meaning in tomorrow’s newspaper (like the paper edition of the New York Times), the written article would be in the far-right hand column, on the top half of the fold (ok, Millennials, we get it, you have never seen a “paper” New York Times). That meant likely the article was important. And that you should read it first and fast.
Today, there is no such luxury of having until the next day to respond to a bad news event. Today you are lucky if you have an hour to respond to a high-activity blogger before he or she levels you or your company with an upper cut posting you were not expecting, like “You’ve been hacked, and we know you know you’ve been hacked but haven’t said anything.” Or worse, that post is coupled with an impromptu iPhone video describing the problem. One recent commentator described a similar situation:
For [this company], it was video footage of a bloodied passenger …, being dragged off the plane by airport security guards. Once that clip hit social media, it went viral. Worse, it took [the company] two days to respond with a meaningful statement and apology. This lag made the airline look uncaring and incompetent. [i]
Yesterday, newspapers were in print. The past was sort of like this:
The “gold standard” for pre-Internet crisis communications was Johnson & Johnson’s handling of the Chicago Tylenol killings of 1982. Someone had laced the pills with cyanide, then put the packaged product back on retail shelves. After seven people were killed, the company had vendors pull all Tylenol off retail shelves, and quickly invented tamper-proof packaging to relaunch the product. Johnson & Johnson responded fast—and honestly — taking ownership of the problem and solving it quickly. Failure would have resulted in the loss of the Tylenol brand.”[ii]
But Tylenol happened before the Internet. Before Google and the hundred thousand other blogs that post on corporate crises daily. Today our news comes at us like water from a fire house that could knock down the strongest fire. The bloggers are relentless. The regulators can be even more relentless.
Recently many very large companies (on the global scope of the Tylenol problem) have had their own cybersecurity crises and boy, its pretty easy to know those that handled the crisis well, and those that suffered the $15 million stock drop because of the big breach that was not well “appreciated” by senior management.
How do you handle a cybersecurity breach well? You avoid things the companies that did not handle their crisis so well messed up. Though we can’t counsel you on every iteration of every breach and every problem, here are the five most important things a company should do exceptionally well today’s era of blogs and Iphones:
1. Don’t wait to react – it won’t get better for you: If the breach is suspected to be bad enough (which probably only you will know), you don’t have a day to react. You don’t have an hour to react. Its time to start firing up the computer or iPhone to start working fast on a response, even if the message is only “we just found out about this; we don’t know much yet, but our teams of responders and experts are working closely to get the bottom of the situation. As soon as we know, you will know.” Or something like this. The worst response is the “sounds of silence.”
2. Not all crises are the same – so plan: Sometimes a crisis comes out of the blue, like a DdoS Attack from no-where like Mirai, which shut down the Internet on a Friday morning on the whole East Coast of the US. These lighten bolts must be dealt with like lightning bolts. Deal with it. Other crises, though completely unwanted might be more predictable, like a ransomware attacks. If one of these, get out your back up tapes; notify who you need to; and get back up and running. Then figure out what happened so it does not happen again. Finally, some crisis might have twists and turns, like you know you get breached, but find out the next day you were “first” breached three months ago but no one remedied the problem, leaving your attackers to do more damage rather than less. This sort of crisis will take teams of lawyers, crisis communicators and technicians to solve. This sort of crisis does happen. So, plan for it.
3. Not all crisis communicators are the same – plan: Back to Tylenol versus today. Does your crisis communicator or PR firm have digital media experience? Do they cover the major blogs 24/7? Can they monitor your social media outlets like Twitter and Instagram 24/7, looking for troublesome messages, highly-critical bloggers or even worse (like plaintiffs’ lawyers)? Not all crisis communicator and PR firms do the digital media thing well. If you are a major corporation (and/or are publicly traded on a national exchange), you would be well served to get a digital media and social media expert on your crisis team. You need to control the message and the response. Trading this role to the bloggers is a bad idea.
4. Practice Your Business Continuity and Crisis Communications Plans at least twice a year – use different scenarios. Keep it real: this one is self-evident. The worst crisis management plan is one that gets left in your desk all year. Everyone must know the plays in the playbook. From the board to the IT department to the PR department. Everyone must know their role. Speed matters. See point 1.
5. Who’s in Charge? What’s the Message? Plan: Maybe our two most important points. Not only must there be a crisis and social media plan of action, it is important to identify who is the point person. Who is in charge? Who is the focal point? Is it the CEO? Is it the lead director? Very hard for us to say, but we do know enough to say, “don’t pick the wrong person.” Experience matters. Sensitivity matters. Demeanor matters. A good rule to go by is “ask around the C-Suite and board room.” Who is admired? Who is despised? Your social media people may have a good perspective here as they assumedly are watching your sites anyway. Also, pick more than one person as potential spokespersons. Why? Person 1 may be directly involved in the problem. So, person 2 might have to step in.
Finally, what’s the message? Again, hard for us to say. Something bad happened. Maybe a nation state attack? Maybe something worse like a malicious sider. Maybe significant IP was lost. And maybe something criminal happened, which might call for the involvement of DHS or the FBI. All these factors might influence the message. But we can stay with confidence: stick to the basics; plan for different scenarios and remember, you don’t have one day to respond. It might be the dreaded hour problem. So plan ahead.