22 Apr Preparing for Data Breaches and Interruptions of Digital Services During a Crisis
The COVID-19 pandemic continues to reveal new challenges few could have anticipated. Beyond the health care issues – which of course, must take priority – cyber-security has become an increasingly critical concern – either because of outright scams or hacking of vulnerable remote networks.
In our experience helping clients prepare for and deal with cyber-attacks over the past three decades, never have we seen such a broad exposure to risk.
Disclaimer: This article provides no legal opinions. Our public relations and crisis communications firm, Sitrick And Company, works closely with major companies and the nation’s top law firms but does not provide legal advice.
Law enforcement and cyber-security threat analysts have issued warnings in past weeks of an elevated level of COVID-19 online scams, phishing emails disguised as bulletins from the World Health Organization, ransomware demands on hospitals and medical device companies racing to develop tests and vaccines, and an increase in the level of penetration attempts by hackers seeking unpatched software, open ports, and other points of entry to private and public sector databases.
Many IT teams have pivoted their focus from system administration and application development to an all-hands-on-deck effort to equip and support a massive increase in remote workers. As those tech support teams are focused on adding VPN capacity, rolling out distributed collaboration tools such as Slack and Zoom, and providing desktop support to employees working remotely on poorly secured home networks, cyber security experts are concerned existing security measures and management may suffer, exposing companies to possible data breaches. The consequences of such a breach, especially given the severe penalties written into the EU’s GDPR and California’s Consumer Privacy Acts, are high mitigation and remediation costs, reduced customer confidence, and the loss of intellectual property and trade secrets to state-sponsored hackers. This, of course, is in addition to the most serious cost: privacy breaches of employees and customers and the potential follow-on follow out from same. And then there is the possible public relations perception that the company didn’t take the proper measures to protect employee or consumer data, which could lead to a loss of public confidence, litigation or regulatory scrutiny.
But IT isn’t the only business support function operating in challenging times. Many general counsels and their legal teams have necessarily shifted their priorities away from cybersecurity and privacy compliance to focus on labor laws and sick leave policies during the pandemic. About one third of the general counsels at global companies surveyed by Morrison & Foerster’s study examining the business impacts of the coronavirus outbreak cited data security as being a major risk, while just 18% said privacy was among their top priorities.
No company wants to compound the current stress on their organization by having to confront and respond to a data breach or online service outage. By preparing today for the elevated risk of an attack or failure of its digital platforms and the loss of its most valuable data today, companies can reduce the impact of a cyber incident in the future. Here are some steps companies should consider when reinforcing the security of their information technology and the privacy of its employees and customers:
Review the corporate insurance policies. Some corporate insurers provide coverage for cybersecurity related outages and data breaches, but cyber-risk policies are relatively new and inconsistent in their riders and coverage levels. Consult with an experienced underwriter and seek the counsel of law firms with cybersecurity, insurance and privacy practices.
Develop or revise the cyber-crisis management and communications plan. This plan should be a cross-function collaboration between the Chief Information Officer, the Chief Risk Officer, Chief Information Security Officer, General Counsel, and corporate communications team. It should include the counsel from external experts such as a cyber-forensics consultant, outside counsel’s cybersecurity/privacy practice, and crisis communications specialists with deep technology experience.
Establish the cyber crisis response team and designate roles, responsibilities and key stakeholders. This team should be organized with a clear governance model that defines lines of authority and designates official spokespeople with a direct reporting line to the CEO. Because of the possibility that internal communications could be compromised by a hacker (which happened to Sony Entertainment when North Korean hackers gained access to the company’s email servers) , pre-establish an alternative communications platform in the event corporate systems go off-line or the company is threatened and must take its systems off-line. Back-up collaboration tools and a secure messaging service should be established before a crisis, not during. Review the organization’s relationship to relevant regulatory bodies and law enforcement in all geographical domains where the company operates. Identify which regulators and law enforcement officials need to be notified and apprised of any incidents and establish a working relationship with them. Retain relevant outside expertise on the advice of outside cybersecurity counsel and internal security staff.
Develop a communications plan to manage communications in alignment with key law enforcement and government officials, regulators, the media, vendors, partners, customers and employees. Prepare comprehensive contact lists, draft statements, and ensure communications are prepared for different audiences: e.g. scripts for customer service personnel taking calls from concerned customers, investor relations, human resources and internal communications teams.
Prepare for the surprise factor. Some data breaches go undetected for months. Sometimes hackers will announce the exploit, other times law enforcement or a technology vendor will inform a company that its systems have been breached. It is crucial that any early statements made by the victim of an incident not try to speculate about such things as the number of customers affected or guess the identity of the attackers until verified facts are in hand. Many reactions to data breaches are fumbled in the first news reports about the incident when companies try to appear in control of the situation by sharing numbers without qualification that they are preliminary or identify who they “believe” is responsible before they have the facts. It is important to acknowledge that a breach has been reported or detected, and that details will be released as law enforcement and private cyber forensics investigations establish the facts. If preliminary numbers are available and it is believed there is a need to disclose the scope of the breach, it is critical to emphasize the numbers are preliminary and could change. Customers who are concerned their personal information has been compromised should be directed to specific toll-free numbers and separate websites established to provide information about identity theft, credit report services, and other measures to protect the integrity of their accounts.
Review the legal implications of statements. In the heat of moment, when a data breach is first discovered, or essential systems are disabled by ransomware, it can be tempting to issue an apology, even though the company may be the victim of a crime, or a self-inflicted outage due to poor technology deployment. Apologies and statements of contrition must be cleared by the company’s attorneys since if they are made prematurely or with the wrong language, could be used against a company in future lawsuits.
Focus on the fix. As soon as possible statements should include what measures are being taken to fix the breach, restore service, and preserve customer privacy. It is important that customers, employees and other key constituents hear what actions are being taken to ensure – as much as possible – that what occurred will not happen in the future.
The impact of the population working and studying from home has increased traffic on public communications networks by a third in recent weeks. Network speeds are deteriorating, and some streaming services have throttled back the quality of their videos from high to standard definition while operators rush to add capacity to absorb the surge in use. The fact that a huge portion of the world’s workforce can continue to work remotely and did so on short notice, is due to the power of the Internet.
The Internet’s origins as a military network capable of surviving a nuclear attack is serving us all in these difficult days, granting public health officials a powerful tool for the first time that can slow the spread of the virus by isolating us, the potential carriers and victims, in our homes with our laptops. The impact of a sustained general outage could be severe and would cut off millions from vital news and connections to colleagues and loved ones. As service providers rush to add capacity to the network, organizations who are dependent on its connectivity should examine their crisis plans in the event of a wide and prolonged outage.
Sitrick And Company cybercrisis and strategic communications professionals are available to assist you with developing a cyber-risk communication plan, whether before or after a breach. We have represented numerous clients in a wide variety of industries that have suffered breaches of vital corporate data, lost control of customer information, and the catastrophic theft of hundreds of millions of dollars in funds. We’ve developed a tested method to prepare for and respond to a cybersecurity incident in partnership with many leading cybersecurity attorneys, insurers, and forensic specialists.