Your Database Was Breached: Now What?

Don't rush to notification before getting enough information from your investigation, and when you do go public, be as open as possible
Quickly Convene An Incident Response Team
After the very immediate step of capturing evidence of a breach, it's time to get the incident response team together -- and fast.

"One of the first things that's most important is to bring together the incident response team quickly," ID Experts' Kam says. "Getting the team together helps deploy a coherent investigation, and they should be able to specifically come up with options for the executive team to make decisions quickly. Decisioning paralysis is one of your worst enemies because everyone is second-guessing each other, no one wants to put their name on the letter, and all sorts of crazy things happen."

Some common stakeholders include IT folks who can offer more investigation into technical evidence, crisis communication experts within PR, an outsourced firm that was picked ahead of time during the planning stage, the legal department, and executives from the corner office.

Don't Rush To Notification
While the first inclination of organizations is to notify customers as quickly as possible that something could put their identities at risk, Kam warns organizations not to rush to notification before getting enough information together from investigations. He cites Ponemon Research, which shows organizations that rush to notify tend to spend more on their breaches as a result.

"Organizations that rush spend more time and energy and money trying to deal with problems," he says. "What we recommend is doing a very thoughtful and thorough investigation to understand what happened, who's affected, and whether or not there are data elements that would create higher risk."

Consider the recent Comodo breach. Not more than a week after the certificate authority rushed to warn of problems, it had to revise the announcement to inform customers that the extent of damage was much worse. This type of "oops, it was way worse than we thought" announcement happens all of the time and could potentially be avoided with more thorough investigations.

Weigh Customer Perception With Liability Concerns Carefully
RSA is currently being hammered by customers and partners for its tightlipped status about what exactly was exposed in its SecurID breach, and many more organizations face a big challenge on how much to actually disclose during notification above and beyond the information laid out by disclosure laws.

"The more transparent the organization can be, even if they don't know a lot yet, the better off they'll be," Kam says. "Perception is a real challenge in these situations."

Quilty explains that there is a balancing act with legal departments, but businesses must consider customer goodwill and brand value when they're fessing up to a database exposure. "If you ask the lawyers for a statement, they want to tell you not to say a word, but that's the legal side," he explains. "From a company side and a reputation side, you have to explain it to customers."

Notify In Plain English And According To Risk
Similarly, organizations need to consider having the lawyers only advise and approve notification letters rather than write them, Kam says.

"Many letters you'll see are written by people who don't write for human beings -- by that I mean attorneys. They're trying to protect their position if these letters ever surface again," he says. "Our suggestion is that it's written in plain language so that the individuals receiving it understand what the risks are."

He believes that the easier it is to understand a notification letter, the lower the costs. There will be fewer calls from customers to handle and also a smaller likelihood of lawsuits if customers feel the company is being straight with them.

Don't Turtle Following Notification
The tendency of many organizations is to think of that breach notification letter as a grenade. They lob it over the wall into the public domain and then hunker down in the weeks ensuing with a lot of 'no comments' to customers and the media. Kam says that organizations can't do it that way.

"Treat this as a crisis communications event," he says, recommending that organizations bring in outside crisis communicators with experience in events such as these.

While RSA has received flack for failure to provide full transparency, Kam says its willingness to hold conference calls with customers and partners following the breach announcement could act as a good example for other businesses in a breach situation.

"It's a lot harder to put the grenade back in the box once it has gone off," he warns.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading