Crisis Management After a Data Breach

Transcript

Digital Detectives

Crisis Management After a Data Breach

08/17/2017

[Music]

Intro: Welcome to Digital Detectives. Reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 82nd edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.

John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is “Crisis Management After a Data Breach”.

Sharon D. Nelson: Before we get started, I’d like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

We’d also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com”pinow.com to learn more.

John W. Simek: We are delighted to welcome as today’s guest, Brian Wommack, who has devoted his career to helping clients see around corners and solve problems or sees opportunities, at the intersection of communications, public policy, and law. He leads the strategic communications practice of Cameron LLP, often advising on high-profile and high-stakes matters including cyber intrusion and data breach contingency planning and response.

Thanks for joining us today, Brian.

Brian Wommack: Thank you very much for having me.

Sharon D. Nelson: So Brian, this is a very interesting subject. We know how crazy people go after a data breach, and of course it is a crisis, and managing it is very difficult, what mistake do you see organizations make the most?

Brian Wommack: So you said “mistake”, right? So I only get one?

Sharon D. Nelson: No, you can take as many as you want.

Brian Wommack: Well, if I had to limit it to just one, I would say the one that I see very frequently and the one that is always avoidable is an organization playing the victim. If you get hacked, of course you are a victim, but in your communications with the public, they don’t really care. As far as they are concerned they’ve given an organization, their information, maybe their credit card information, maybe personal medical information and they really expect you to keep it secure end of story. So an organization that gets hacked and is playing the victim, doesn’t play so well with the public, and that’s a totally avoidable mistake that we see over-and-over again.

John W. Simek: So Brian, talk a little bit about timing. How soon following a data breach, an organization really set information and communicate that out?

Brian Wommack: Well, John, that’s a really good question, and unfortunately, it’s not a straightforward answer. I would say it really depends on a lot of things, but sort of as a first principle I would say, you should communicate about it as soon as possible after you’re sure that you’ve been breached because waiting just makes it more likely that someone else is going to find out about it and break the story on their terms, and then the organization that’s been breached will completely lose control of the story.

Now qualify that with a couple of things. Sometimes you need to let a partner or a vendor or a customer know first, sometimes there is an ongoing investigation that has to be managed in concert with the communication. I’ve had cases where the organization couldn’t communicate with the world about the breach because the hacker was still active on their systems, and so law enforcement didn’t want to give that fact out and tip them off. So there is a lot of other considerations but the first principle is as soon as you can, subject to all of those other things.

Sharon D. Nelson: Well, how much should you wait until you know what’s going on before you communicate? What’s the rule there?

Brian Wommack: Well, I would say as a rule of thumb certainly as in most things, the more you know the better, but in this kind of crisis communication situation as in many crisis communication situations, you have to get comfortable communicating with the public even with imperfect knowledge. I always tell clients they need to be able to share as soon as they can, what they can, and if that’s incomplete information or if it’s even just to say we’re aware of the situation and here’s what we’re doing about it, that’s fine, and then promise to make frequent updates as new information becomes available, and then it’s really important that you have to keep that promise. You have to actually then update as you learn new things along the way.

John W. Simek: Well, Brian, I have my own thoughts on this, but I’m interested in yours. What’s your experience been as to how organizations usually find out that they have had a data breach?

(00:04:56)

Brian Wommack: Well, yeah, of course it can happen in lots of ways and sometimes it’s somebody in the IT organization or security organization but increasingly a lot of the times that we’re working with a client, the first they hear about it is when they get a call from a member of the media or a blogger that somehow has pieced together some information from various sources and figured out an unusual pattern and calls the company basically saying here’s what we found out, here’s what we think is going on, and often that’s the first the company is learning of it.

Now from a technical standpoint of course when you dig into it more you realize that there were people on the client-side that were actually aware of some things that were going on and maybe it just hadn’t gotten all the way through the organization yet, but sometimes the first time the C-suite, first time the management hears about it is when they get a media call and somebody from communications goes running down the hall saying, could this possibly be true, and a lot of times they think, well, gee, this isn’t true and then they find out later on, it is.

So all of that is to say, you got to think about it ahead of time, you don’t want the first time, you are thinking about how you are communicating about a breach with the media to be when you’re hearing about it.

John W. Simek: From the media themselves.

Brian Wommack: From the media themselves, exactly. I mean, by definition there’s not a whole lot of time to think about how you’re going to respond when you’ve got the reporter there on the line.

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including Distributed Denial of Service mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients, peace of mind, knowing their information is secure. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digital%20detectives” sitelock.com/legal/digital detectives.

[Music]

Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow, understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit  HYPERLINK “http://www.pinow.com” www.pinow.com.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is “Crisis Management After a Data Breach”. Our guest is Brian Wommack, who leads the strategic communications practice of Cameron LLP, often advising on high-profile and high-stakes matters including cyber intrusion and data breach contingency planning and response.

So Brian, what can companies do to be more ready for these kinds of incidents?

Brian Wommack: That’s a great question, Sharon. I would say the first thing they need to do is to think very carefully about the people who need to be involved in the process. You can’t make a decision unless you know who the decision-makers are and every organization sort of has a different set of decision-makers for different kinds of incidents. So I would make sure that everyone knows who the team is, and also to think through what a very streamlined decision-making process looks like.

A lot of organizations, when facing a crisis, kind of hunker down and everybody gets very risk-averse and they are afraid of making a mistake, and sometimes that lengthens the decision-making process. So they really need to think ahead of time about what a very streamlined decision-making process looks like. It’s got to include all the right people, but it’s got to reach a decision in a very streamlined fashion, because in a situation like this as you can imagine, you really don’t have the luxury of time.

The other thing I would say about that is, in addition to knowing who the people are, it’s really easy to do in a, say a tabletop exercise where you have everybody seated around the table and they can provide their input, but that’s not how these things unfold in the real world.

So I would say, make sure that every key decision-maker also has a backup, make sure that backup knows who they are, make sure everyone else on the team knows who the backup is, and make sure that that backup is fully empowered to make any decision that might need to be made in a situation like this, because it seems like these kind of incidents, as you can imagine always happen. When one of the key players is on a plane or on vacation or recovering from surgery, the organization still has to act even if some of the key players are out of place. So making sure that the organization has that decision-making resiliency is absolutely key.

(00:10:09)

John W. Simek: So Brian, I assume what you’re describing here is kind of the plan, the materials, and the incident response plan as to how the company should respond, and certainly, I would assume that that’s they should do this ahead of time right, making a plan instead of a reaction.

Brian Wommack: Absolutely, John. It’s very foreseeable the types of situations that most organizations are going to face, so they absolutely can and should put together not only the plan and who the people are and what the decision-making process looks like, but actually start drafting some of the materials. Think through what are the most likely scenarios that this particular organization might face, who they would need to communicate with, what the order of that would be, sort of what the cadence of the communication is, and then actually getting into word smithing what actually might get said in such a situation.

The last thing you want to do is face something like this and be looking at a blank screen or a blank piece of paper when not a whole lot of time, ahead of time could be invested in coming up with things that are true to the organization, things that are empathetic to the customer or to whatever constituency needs to be communicated with. It’s not rocket science to figure this out ahead of time, and it’s shocking really, how many companies, how many organizations don’t just have a basic plan that includes those elements, the people, the process, and then the actual verbiage. The actual words they would use to communicate.

Sharon D. Nelson: A lot of times when I hear somebody talk for a company after the data breach. I will think to myself, well, who picked that idiot? I just say these words. It’s so obviously that they are saying the wrong things entirely.

Brian Wommack: Isn’t that true?

Sharon D. Nelson: It is true. So who should the spokesperson be for a data breach? How do you pick that person/

Brian Wommack: Well, the first principle is, don’t pick that idiot, I would say, Sharon, whoever that idiot is, and maybe that idiot was who was in the office that day. I mean, maybe the person who they trained is the spokesperson was in Aruba, I mean, that happened.

So make sure that your Plan B, maybe you don’t want to invest as much time and as many resources in Plan B as you do in Plan A, but you better make sure Plan B doesn’t provoke the response from someone listening at home, gee, why did they pick that idiot to say that? Right? So who should be the spokesperson?

This is another one of those “it depends” answers I would say, and part of it is it depends on the gravity of the situation.

If you’re dealing with a huge breach that really involves customer information, say credit card data, or Social Security numbers, it’s really going to get a lot of people exercise about it. I think at that point customers want to hear from somebody in the Executive Suite. If you have somebody much below that level, it seems that the organization isn’t taking it seriously enough, they are going to be accused by the media and other stakeholders as not taking it with the importance that they should not facing it with the same degree of gravity that they should.

However, if it’s a fairly small breach or maybe it doesn’t include personally identifiable information, maybe it’s someone from the communications team, maybe it’s somebody from the IT team. It has to be somebody who can speak empathetically and clearly about the subject who is knowledgeable about it, who sort of understands the rules of dealing with the media, but you don’t want to take a small breach and make it into a bigger situation than it is by sending your CEO out, and then suddenly that’s the cue to the media that, oh gee, this is a really big deal and that’s going to just provide greater attention to the situation. So again, not an easy answer, because really the answer comes down to, it depends on the situation, but a lot of these kind of situations are very fact-specific.

John W. Simek: Well, Brian, as part of that and to take that a little bit further, what should that tone of that communications be? Is the media really the target or is it the consumers or is it both or do you have different messages or how does that work?

Brian Wommack: Right, now — so that’s a great question, I mean, the media — you want the reporter to like your answer maybe but you always have to remember, the media is not really who you are communicating with. Your target audience is beyond the media. The media is sort of your vehicle to get to your customer or to your stakeholder or to whoever you are actually trying to communicate with. It’s not the reporter that you’re trying to please.

The thing in terms of tone, I think the most important thing is that you come off as empathetic for those whose data has been compromised or potentially compromised, again, going back to that principle that it’s not the organization or the company being breached that is the victim here, it’s the actual people whose data is being compromised. So you want to come out with a great deal of empathy for them.

(00:15:06)

The other thing you want to make sure you communicate right off the bat is that you’re taking control of the situation, and really, it’s whatever that means and that could be something different depending on where you are, in discovering what’s going on, where you are in the investigation, but you want to make sure that the public comes away with the perception that you are dealing with the situation that you are handling it in some way, and that you are going to have a solution for it.

The other thing I would say is you kind of have to give room for the facts to change. We’ve all seen situations where a company has come out and stated definitively how many people were affected, and then the next day that number changes, and sometimes it changes wildly.

So you kind of have to know that going in that the facts may change, you can have to leave yourself a little bit of wiggle room on that. You can say something like, here’s what we know right now. We’re still digging into the facts, we’ll let you know if the facts change, here’s the situation as we understand it at the moment. So that gives a very clear picture that you’re on it, you’re continuing to investigate, but if you say, we think fewer than a thousand people were affected by this, and then tomorrow the number is 50,000, suddenly you have no credibility at all.

John W. Simek: Right. Well, before we move on to our last segment, let’s take a quick commercial break.

[Music]

Jared D. Correia: Hi. My name is Jared Correia. I love fondue, long walks on the beach, and I have a large collection of Grover Washington albums at my home. Oh, I also host a podcast on Legal Talk Network called The Legal Toolkit, where we talk about law practice management issues and Warren Zevon every month. Check us out on iTunes, Stitcher or  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Crisis Management After a Data Breach. Our guest is Brian Wommack, who leads the strategic communications practice of Cameron LLP.

Brian, how long does it take to recover from cyber incidents, particularly a breach? I mean, I think it seems to the poor people who are victims like, this is just going to last the rest of my lifetime.

Brian Wommack: Right, so let me give you a definitive answer. It takes three days to recover, how’s that?

Sharon D. Nelson: Wow. Okay, I’m impressed.

Brian Wommack: Now, I wish there were a definitive answer, but again, sure, this is another one of those that it kind of depends. It depends on how much reputational capital was lost in the handling of it and part of that goes to how ready was the organization for it, so how well did they handle it. A company that’s got a plan and has drilled on the plan and knows how to execute it, of course they’re going to be noticed as the breach is unfolding.

It’s going to get covered, it’s newsworthy, but as we see these things happen so often that pretty soon, some other organization has been breached and maybe it’s more salacious for some reason or maybe it’s bigger, and the previous breaches kind of becomes one of those things you get put up on the screen as previous breaches and not as the current situation, so people forget, and people forget frankly too if it’s handled well, where people want to come at you with pitchforks is where they think the company didn’t do a very good job either of safeguarding the data in the first place or of getting their arms around the situation and communicating empathetically about it.

Companies are remembered when they play the victim or if they make emphatic statements that have to constantly be walked back, sort of as we talked about with estimating how many people are affected and then that wildly changes over time.

Sharon D. Nelson: Well, let me ask you a follow-up question that a lot of people who have been asking in the legal sector and that is as you well know DLA Piper was hit by I don’t want to call it a “Cyber Breach”, certainly it was a cyber incident when they got a worm called NotPetya, although it goes by many other names, and it fundamentally shut down their communications, it shut down their computers, it shut down their voice systems. It pretty much crippled the firm, and they had their way of responding and came out and they had some public updates et cetera, et cetera, what did you think of their response, was that a good measured response?

Brian Wommack: Well, I always hate to pick on any particular response because it’s always hard to know what’s going on behind the scenes and when they were completely taken down, they didn’t have the ability to sort of think behind the scenes and coordinate in the ways that they could. I think they probably did as well as they could under the circumstances, but looking back on it, I think they wish they probably had been ready not only for a breach but for a breach that takes out their complete ability to communicate.

(00:20:00)

I mean, I’m not saying they necessarily needed to be ready with smoke signals and semaphore flags, but probably their plan should include the contingency that not only are we breached but we can’t communicate with each other, and of course that’s an enormous global organization as so many are these days that depends on the very technology that is compromised in order to communicate itself internally.

So reaching those decisions and figuring out what to do, they probably lost some time because of that factor in which they maybe had had a different plan, maybe you want to have an offline system or a backup system or some other contingency plan around communicating internally so that you can be a little more speedy, but again, I am not an armchair quarterback on these sort of things because every situation has factors that you don’t know unless you’re actually internal to the organization, so they did as well as they could under the circumstances.

Sharon D. Nelson: They did sort of have the complete catastrophe.

Brian Wommack: They did, they did. It’s something you wouldn’t wish on your worst enemy, but you can’t make this stuff up, right, I mean, it’s sort of gone from science fiction to reality very quickly.

John W. Simek: Yeah. Well, I’ve got this vision now, Brian, of our podcast listeners going onto Wikipedia to find out what semaphore flags are, but —

Sharon D. Nelson: Hey, we looked up the difference between mollusks and crustaceans. So, everybody goes on for their own reasons to look at.

John W. Simek: You’ll hear it here first, both.

Sharon D. Nelson: That’s right, exactly.

Brian Wommack: Exactly.

John W. Simek: So aside from learning what semaphore flags are, which I know what they are, but anyway, what tip would you give our listeners or anybody that’s going to face a cyber breach?

Brian Wommack: Yeah, so it just comes back to preparation, John. I think, everything we talk about it comes back to that one element. Think ahead of time about the types of situations you could face, how you would handle them, what you would say, how you decide, what you’re going to say, who all has to be involved in that decision, who their backups are, who’s going to say it, how are they going to say it, and actually practice it?

I said before it’s really easy when you’re sitting around a table to know sort of who the decision-makers are. It’s a lot harder when you have to do it in real-time. So don’t just do a tabletop exercise, do a drill that actually turns a piece of information loose in an organization and have the organization actually have to respond in real- time. I mean, there are drills that get created sort of enterprise-wide and put the enterprise to the test of actually uncovering a problem somewhere and that actually getting up to the right people and the right decision makers and then coming up with a plan. So, you got to be ready and there’s really no excuse for not being ready because we all know that this vulnerability is there, we see it every day. So, I would just say, it’s like the Boy Scouts say “Be Prepared”.

Sharon D. Nelson: The Girl Scouts say the same thing, for the record.

Brian Wommack: That’s true. We want to be gender-inclusive. That’s true the Girl Scout, they probably got to it first actually, doesn’t they?

Sharon D. Nelson: Hey, Brian, I didn’t tell you I was 17 years a Girl Scout leader, so —

Brian Wommack: Well, they are a great organization. I’ve got two girl scouts in my own family, so —

Sharon D. Nelson: There you go, there you go, you are instantly forgiven. Brian, we want to thank you for joining us today for being so easy to work with as we prepared for the podcast et cetera. We had a few laughs, it was colorful, it was educational. There are some things that you had come up with that John and I, although we lecture on this very topic, you came up with some ideas that were kind of novel to us which we were promptly purloined and stick in our presentation.

Brian Wommack: Cool.

Sharon D. Nelson: So it was very educational for our listeners and I know they’re grateful as well, so thanks for being with us today.

Brian Wommack: Well, it’s a real pleasure. I enjoyed working with you both and there’s a lot of preparation work out there to be done on the technical side, on the communication side, and on the legal side too, so I think it’s — and there’s a lot of great resources out there too, so there’s really no — there’s no reason not to get out and be prepared.

Sharon D. Nelson: Well, we’re a little like Ghostbusters here, we’ve answered the question, if you have a data breach, who you are going to call?

Brian Wommack: Who you are going to call? That’s right.

Sharon D. Nelson: Yeah, you need to put that on your website.

Brian Wommack: That we just need the catchy song, right?

Sharon D. Nelson: That’s right, exactly, we’ll work on that.

Brian Wommack: Yeah.

[Music]

John W. Simek: Well, that does it for this edition of Digital Detectives, and remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or in iTunes. If you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology, and cybersecurity services at  HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.