You’ve Been Breached: What Now?
David Schulz is back with another post on cyber security. This time, David shares what to do if your organization’s data is hacked. ~Kivi
Guest Post by David Schulz
It’s Monday after the Spring Gala, you’re in early to write thank you notes but your phone has a dozen messages waiting from supporters. Each begins the same: “I got a call from the bank asking about all these odd credit card charges.” Uh oh…
Or, its tax season and a staff member who went looking for their W-2 on the website also found everyone else’s.
Or, you find your laptop missing, full of donor reports and media contact lists with private numbers.
To growing dismay, you realize that your organization has been cyber-breached. What’s your first step?
These scenarios – data theft, self-inflicted cyber wounds, loss of IT equipment – each account for a third of the cyber breaches reported by nonprofits. Regardless of the cause, there are immediate crisis response steps every manager should know. Three aspects need to be addressed: legal, operational, and public relations.
Start with a call to the organization’s lawyer. (I know … “first call a lawyer” is unpleasant advice, but a cyber-breach is potentially a crime scene; while the organization may be a victim, it may also be an unwitting accomplice.) An attorney is best suited to investigate the facts and protect the organization from further damage.
Gather policies and procedures about information handling and security; find a copy of your liability insurance policy and the agent’s phone number.
The next step will be to find out what happened. Who was affected? What data was lost and by what systems? Consider whether the investigation should be conducted by internal or external parties. Be prepared to discuss the “information life cycle” of the data that’s been breached … how was it gathered, how was it stored, what were the plans for its use and eventual destruction?
Facts at hand, counsel can determine if state law requires notifying those affected. Forty-seven states have breach response laws, differing in terms of triggers and obligatory responses. The Commercial Law League of America (CLLA) provides a spread-sheet summarizing each state’s law; it’s worthy of review.
Once the type of data loss is determined, the organization’s obligations become clearer. Counsel will help identify whether federal laws like FCRA, HIPAA, COPPA or GLBI come into play.
In the example of the spring gala (true story), you already know one set of industry regulations to be dealt with: PCI-DSS, Payment Card Information Digital Security Standards. If your organization takes plastic, someone ought to be aware of its rules for security management, policies and procedures. The Payment Card Industry website has resources to keep you and data protected.
Operationally, the process that permitted the breach should become apparent by the fact-finding. Perhaps it’s lack of volunteer training. Or insecure software on the server. Or laptops and phones unprotected by passwords and encryption. The facts will lead you directly to best practices to prevent this type of breach from re-occurring.
From a PR perspective, cyber-breaches threaten reputation and relationships. Crisis communication is the art of managing relationships in the wake of a negative event; effective crisis response can actually strengthen relationships.
Cyber-breaches have distinctive issues, calling on a professional’s communication skills to clarify. For instance, there is always confusion over responsibility and accountability for the information lost … and the challenge of identifying who may have been harmed … the difficulty of accurately predicting potential negative impact … the confusion of conflicting rules around notification and even the conflict of priorities between immediate disclosure and first fixing the problem.
Make sure the breach response letter is seen by the PR shop. It should respond to legal requirements and also express sincere concern, describing the steps taken to prevent a rerun. Breach letters become public; review it with an eye toward how it will look in newsprint.
Most important, remember that the public will forgive error and mistakes but deal ruthlessly with indifference, arrogance, deflection, or any attempt at cover-up.
Crises always have dramatic trigger events: the ship and the iceberg, for example. But the real reason for Titanic’s tragic loss of life occurred much earlier, before the ship sailed, at a board table when management decided the ship didn’t need the recommended number of lifeboats or lifeboat drills.
You can prevent a crisis from becoming tragic with adequate planning. The time to begin responding to an information breach is well before it happens; you can begin right now. Start by reviewing policies and guidelines in place, and taking stock of how and where information is gathered and stored.
Once you’ve decided to make it a priority, there are firms pleased to help you manage the risk. As in so many things, recognizing that there’s a problem is the first step to resolving it!
David Schulz, CIPP/US, is a privacy professional who has been a nonprofit manager and director for thirty years, initially in marketing and media relations, then fundraising and leadership. Currently serving as Commissioner on the Texas Commission of Holocaust and Genocide, Mr. Schulz has been a director on the Plano Symphony Orchestra Board and the UT-Dallas Arts and Humanities Advisory Council. He lives in San Antonio with his wife Ann, a field leader in cyber security and a certified ethical hacker: their pillow talk, though dull, is encrypted and password protected.