Incident Response Planning: Breach Brigade

A comedian once suggested that an executive’s only viable option when cornered by Mike Wallace and his 60 Minutes crew is to fall to the floor and feign death. Let them in the door and you’re toast; keep them out and you only incriminate yourself in the eyes of judgmental viewers.

These days, corporate security executives can be forgiven for secretly wanting to roll over and play dead themselves. Boxed in on one side by new public disclosure laws and regulations, and on the other by an evermore savvy and sensationalistic press, CSOs increasingly must find successful strategies for responding as their breaches play out in the public arena.

Thankfully, say experts, there are alternatives to chaos and panic when a physical or digital security incident (or both, as seems to have been the case in last August’s power grid failure) becomes a matter of public knowledge.

Connie Emery, chief privacy and security officer at Tenet HealthSystem, is one security executive who’s been blindsided by a breach and lived to tell the tale. When an internal user error sent confidential patient information to the wrong person, that individual called a local news station rather than the hospital to report the incident, triggering every CSO’s worst nightmare.

“We were not aware of the problem when the media called, so that part was a worst-case scenario,” says Emery. “But we immediately put our task force on it, and it wound up going very well, all things considered.”

What put Tenet Health in a position to deal successfully with the unexpected? According to Emery, the company had a team identified and in place for just such an emergency; the team was quickly able to pinpoint the cause of the problem; and a C-level hospital executive was ready to deliver a clear, succinct explanation and message of reassurance to the public.

As in nearly all other aspects of security, preparedness is the watchword for successful public communication. Security officials from industries as diverse as health care, finance and transportation say the key is to have a plan in place before you ever pick up that phone to find a reporter or irate business partner on the other end.

Every company should have an incident-management plan, and every company’s incident-management plan should include a communication component to help determine who gets told what when and how once a breach has occurred. “If you don’t have a plan up front, you’re going to misfire,” says Michael Rasmussen, a Forrester Research analyst who specializes in security. “You need to have public relations in place. Otherwise, you communicate too much or communicate inaccurate information.”

That means that, in all but the very smallest companies, a communications professional, public relations expert or, in a pinch, human resources executive should be included in whatever team is assembled to address a security incident.

It might seem counterintuitive to ask a professionally close-mouthed security executive to cozy up with someone whose job is to talk all day long. But CSOs say a public relations executive can be security’s best friend. “A good communications person will indirectly promote your own goals. They’ll be your champion,” says John J. Melia Jr., chief risk officer at Home Loan and Investment Bank. “Their job is to synthesize information and say how it’s important to the big picture without getting bogged down in details.”

At Massport, the independent public authority that runs Boston’s Logan International Airport and other port facilities (see “Safe Harbor,” www.csoonline.com/printlinks), Director of Corporate Security Dennis Treece works with Director of Media Relations José Juves. The two have a relationship that’s so good it verges on gushywhich is saying a lot for Treece, a 30-year army intelligence veteran who directed military security during the first Persian Gulf war.

“José is a good guy. We’ve reached a good middle ground in the relationship between our two roles,” says Treece. “My responsibility as a security person is to make sure we marshal the right resources to address a problem. His expertise is putting the right emphasis on what’s happening.”

“In some places there can be friction between media and security folks,” says Juves. “But Dennis and I are very up front and honest with each other and with the media.” For Juves, who directed communications for Massport on Sept. 11, 2001, when terrorists hijacked two planes from the airport, “Inspiring confidence in the traveling public is the philosophy that unites us. [Dennis’s] job is security, which leads to increased confidence. My job is to communicate that confidence.”TeamworkWhile they are unanimous in saying that breaches are far too variable in nature to allow for a predetermined set of procedures, the security executives we spoke to have all compiled lists of internal contacts to be mobilized as an ad hoc first-response team. For Tenet Health’s Emery, that list includes people from administration, risk management, information systems, human resources, legal and corporate communications, and a privacy officer. But in each instance, a different cast of characters might be assembled depending on the circumstances.

For example, at Comerica, the financial services company, a small, core incident-response team conducts an initial assessment and then determines who should be involved, according to Julie Larson, vice president for information security, risk and awareness. A policy violation would need input from HR but wouldn’t necessarily involve outside law enforcement, she says. Any physical breach would naturally involve corporate security but might also include information security if the breach (or the forensic response) also involved corporate information systems. And when an incident potentially compromises customer data, then media relations is in on the initial response team.

With so many departments covering so many different areas of high sensitivityfraud, corporate security, IS, legal and so forthComerica has taken pains to iron out redundancies in the incident-response plan to reduce duplicate efforts and avoid toe-stepping once a response is initiated.

“We sat down and looked at all the different parts of the organization and asked, If this [type of breach] were to occur, what would your role be?” says Larson. “The goal was to try and minimize crossovers and duplication.” She notes as well that one important “administrivia” task needs to be tended tomaking sure the list of incident responders is kept up-to-date. It’s a seemingly minor detail that can turn out to be decisive in the first minutes of an incident. “People come and go; they change roles within the organization. You need to keep your incident-response plan fresh. If I need to contact media relations at 2 a.m., I need to know I’m dialing the right home number.”Letters of the Law When security has been compromised, containment is the first responsibility of that crack incident-response team you’ve put together. Simultaneously, the team will also need to determine what information must be disclosed or should be disclosedand to whom.

On the “must” side of the equation, laws such as California’s much-discussed Information Practices Act (SB 1386) increasingly play a part in determining who gets told what and when. (The law requires that companies doing business in California or having customers in the state promptly notify those customers whenever their personal information may have been compromised.)

At the same time, federal legislation is changing the way specific industries operate. In financial services, for example, the Safeguards Rule of the Gramm-Leach-Bliley Act mandates how financial institutions design, implement and maintain safeguards for customer data. Particular sections of the Sarbanes-Oxley Act require companies to audit the controls and processes underlying financial reporting and to disclose in real-time any material events that might impact a company’s financial standing.

In health care, the Health Insurance Portability and Accountability Act (HIPAA) has radically changed nearly every aspect of how patient data is collected and handled by hospitals, health-care providers, insurers, doctors’ offices, billing companies and others.

“When you have an unauthorized disclosure of patient health information, HIPAA comes into play, and we have to get our HIPAA experts involved,” says Anthony Potter, director of security at the Forsyth Medical Center in Winston-Salem, N.C. “In a situation like that, it’s in our absolute best interest to be very forthcoming with information. There are criminal penalties attached for not doing so.”

During a breach, the last thing you want is to have any member of your response team rummaging through desk drawers or flipping through compliance manuals. To be prepared, make sure at least one member of the team is current on all of your company’s legal disclosure obligations. Make sure your legal or compliance colleagues have clearly posted and explained these confidentiality laws to employees (which should also reduce the number of inadvertent breaches); and make sure your company is gathering physical and digital compliance data on an ongoing basis.

This last step should help both in detecting and shutting down a breach and, if necessary, in defending your company against potential charges of negligence. “Ensure that you’re gathering information all the time,” advises James Mobley, president and CEO of @Stake, an information security consultancy. “From a technology standpoint, that means log everything. You’ll be able to quickly gather and examine data and understand what’s going on.”

It’s also a good idea not to split legal hairs. Given all of the recent discussion on compliance and legal responsibilities, companies should avoid taking an overly narrow view of disclosure responsibilities. Says Forrester’s Rasmussen, “If you follow the letter of the law only in California, you’re going to tick off all your customers in Oregon and Washington state who’d expect to be notified too. Your incident-disclosure policy can’t be so tight that it’s going to hurt you.”Kiss And TellKeeping it simple is one of the guiding precepts of effective disclosure. Tenet Health’s Emery ticks off a list of what customers hear when there’s been a potential breach of confidentiality: “We tell them that we have been advised of an incident that may have put their identity at risk. We give summary details. We let them know that we are investigating the incident. We offer a contact and telephone number for more information, should they have questions.”

What’s not on that list is just as important as what is: There are no details that could incriminate the organization or leave it vulnerable to further attacks, no specifics that could confuse or inflame customers’ fears, and no information that could give the impression that the situation is not under control.

Security experts agree, moreover, that the content of your message to customers and business partners should be honesty tempered by brevity. “We try to go straight to the point,” says Comerica’s Larson. “We want to be open and honest, but also relieve anxiety and reduce panic. We keep to the point and give them just the information they need.”

Corporate communications are most effective when they’re backed by an overarching goal shared by all members of the response team. For Massport’s Treece and Juves, that goal is to reassure the public that the airways are safe. For Home Loan and Investment Bank’s Melia, it’s mitigating risk for his organization over the long term, not just on an event-by-event basis.

“Some security people are too quick to shoot from the hip,” Melia says. “If we have an ATM break, yes, that’s news; but in terms of understanding business processes and mitigating risk, it’s not any more [newsworthy] than dealing with bad checks or defaulted loans.”

Hard as it may be to take the long view during a short-term crisis, security executives and their communications colleagues must always be thinking of the future, agrees @Stake’s Mobley. “When the incident is finished, will your reputation still be intact?” he asks. “Your message should be clear and crisp and say what you’re doing to minimize risk for the next time. You want to emphasize that clients have placed their trust in the right organization.”