3.1.1 Incidents

Today, the majority of organizations that plan for data breaches include it as part of their cybersecurity incident response program, which is typically developed within the IT department. This is largely for historical reasons and not because it is the best strategy. In the early 2000s, virulent worms such as Blaster, Slammer, and MyDoom wreaked havoc across networks, infecting hundreds of thousands of computers and causing network outages. Information security teams prepared by implementing antivirus, network monitoring, intrusion detection, patching, and reimaging mechanisms. It was clear that the community needed a model for planning and responding to these types of threats.

In January 2004, the National Institute of Standards and Technology (NIST) released its first Computer Security Incident Handling Guide. What is an “incident”? According to NIST: “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”⁸

8. Paul R. Cichonski, Thomas Millar, Timothy Grance, and Karen Scarfone, Computer Security Incident Handling Guide, Special Pub. 800-61, rev. 2 (Washington, DC: NIST, 2012), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

The classic NIST model breaks a cyclical incident response process into four high-level phases, shown in Figure 3-1:

1. Preparation

2. Detection and Analysis

3. Containment, Eradication, and Recovery

4. Post-Incident Activity

Theoretically, responders move through these phases of response in roughly linear cycle, returning to previous phases repeatedly as needed.

The NIST incident response lifecycle model actually worked very well when applied to the most widespread cybersecurity incidents of the early 2000s. When a virus or worm was detected, it was analyzed and then “contained” using network throttling or antivirus. The infected system was cleaned or reimaged (“eradication”); data was restored (“recovery”); and finally the incident was documented and (if necessary) discussed at a postmortem meeting.

Since then, organizations throughout the nation have used it as the basis for planning and managing cybersecurity incident response, including data breaches. And therein lies the problem: While the NIST guide is very helpful for managing many kinds of computer security incidents, as we will see, a data breach is typically not just an incident and therefore must be managed differently.

3.1.2 Data Breaches Are Different

Where in the NIST incident response lifecycle is the part where regulators fine your organization for negligence? Where does the CEO make a public statement? Where are the notification letters, the phone calls to insurers, the class-action lawsuits?

The NIST model can supposedly apply to “loss of data confidentiality,” but frankly, the tidy NIST model isn’t all that useful when managing a data breach. Most organizations include data breaches in cybersecurity incident response plans, but when an actual data breach occurs, the playbook goes out the window.

3.1.3 Recognizing Crises

Crisis management expert Ian Mitroff carefully differentiates between an incident and a crisis as follows:

• An incident is “a disruption of a component, a unit, or a subsystem of a larger system, such as a valve or a system generator in a nuclear plant. The operation of the whole system is not threatened and the defective part is merely repaired.”

• A crisis is “a disruption that . . . affects a system as a whole.”⁹

  9. T. Pauchant and I. Mitroff, Transforming the Crisis-Prone Organization (San Francisco: Jossey-Bass, 1992), 12.

Steven Fink further defines a crisis as “any prodromal situation that runs the risk of”:

1. Escalating in intensity.

2. Falling under close media or government scrutiny.

3. Interfering with the normal operations of business.

4. Jeopardizing the positive public image presently enjoyed by a company or its officers.

5. Damaging a company’s bottom line in any way.¹⁰

   10. Steven Fink, Crisis Management: Planning for the Inevitable, rev. ed. (Bloomington, IN: iUniverse, 1986), 23–24.

Data breaches, by their very nature, create risks in all five of Fink’s categories above.

3.1.4 The Four Stages of a Crisis

The NIST incident response lifecycle is very useful for certain types of incidents. However, the purpose of having a model is to help us to better understand a situation and respond more effectively. When it comes to data breaches, Fink’s crisis management model is a more useful tool for understanding data breach management and response, as we will see throughout this book.

According to Fink, every crisis moves through four stages. These stages are:¹¹

11. Fink, Crisis Communications, 46.

• Prodromal - The “precrisis” phase, in which there are warnings or precursors that, if acted upon, can enable responders to minimize the impact of the crisis.

• Acute - The “time when chaos reigns supreme,” according to Fink. At this stage, the crisis has become visible outside the organization, and leadership must address it.

• Chronic - During this stage, “litigation occurs, media exposes are aired, internal investigations are launched, government oversight investigations commence.” As the name implies, the chronic stage can last for years.

• Resolution - The crisis is settled and normal activities resume.

These stages apply neatly to data breaches, which typically do include a prodrome (such as an intrusion detection system alert), followed by an acute phase (such as an intense media scandal). This results in lawsuits, public outcry, internal investigations, etc., as described in the chronic phase. Finally, the breached organization may reach the resolution stage, typically after undergoing changes to processes and procedures. It can take years to get there.

The goal of crisis management is to “manage the prodrome so successfully that you go from prodrome to resolution without falling into the morass of the acute and chronic stages.”¹² The same is true of data breaches: the best way to manage a data breach is to prevent it from occurring in the first place. If that is not possible, the next best technique is to rely upon a strong detection and response program, so that your response team can identify the earliest signs of an intrusion and react quickly enough to minimize the risk of data exposure. Effective network instrumentation, logging, and alerting are key elements of a strong detection and response program. Finally, if a data breach reaches the acute crisis phase, then it is important to have a strong crisis management and crisis communications program in place. This latter piece—crisis communications—is critical. It is not enough to manage the data breach crisis itself; you must also take care to manage the perception of the crisis.

12. Fink, Crisis Communications, 47.

3.2.1 Image Is Everything

When a data breach crisis occurs, organizations face a significant threat to their image. “Image” is the perception of an organization in the mind of a stakeholder. Far from being a superficial matter, an organization’s image is vital.

A damaged image can impact customer relations, as well as investor confidence and stock values. Image is also critical for defining the organization’s relationship with law enforcement, regulators, and legislators. In a data breach, damage to an organization’s image can trigger consumer lawsuits, cause increased fines and settlement costs, and even affect the content of laws that are passed as a result of the crisis. It can impact hiring, morale, and employee retention. If image repair is fumbled, key executives may be forced to step down as a result of a breach, as Equifax’s CEO shockingly discovered.

The impact of a data breach on an organization’s image depends on many factors. Image repair expert William L. Benoit says that a threat to one’s image occurs when the relevant audience believes that:¹⁵

15. William L. Benoit, Accounts, Excuses, and Apologies, 2nd ed. (Albany: SUNY Press, 2014), 28.

1. An act occurred that is undesirable.

2. You are responsible for that action.

Data breaches can damage the relationship between stakeholders and the organization. There is a risk that the organization will be perceived as responsible for the undesirable act (the breach). This, in turn, creates a threat to the organization’s image.

3.2.2 Stakeholders

Fundamentally, a corporate image is the result of a relationship that the organization develops with each stakeholder. To use Equifax as an example, key stakeholders include:

• Consumers

• Shareholders

• Employees

• Regulators

• Board of Directors

• Legislators

• And more

These categories of stakeholders have different concerns in the wake of a breach.

3.2.3 The 3 C’s of Trust

A data breach can injure the relationship between stakeholders and the organization. Specifically, it damages trust. Military psychologist Patrick J. Sweeney conducted a study of enlisted soldiers in 2003 and found that three factors were central to trust:¹⁶

16. Michael D. Matthews, “The 3 C’s of Trust,” Psychology Today, May 3, 2016, https://www.psychologytoday.com/blog/head-strong/201605/the-3-c-s-trust.

• Competence - Capable of skillfully executing one’s job

• Character - Strong adherence to good values, including loyalty, duty, respect, selfless service, honor, integrity, and personal courage

• Caring - Genuine concern for the well-being of others

As we will see, these three factors apply as well in the context of trust between stakeholders and an organization.

3.2.4 Image Repair Strategies

Throughout this book, we will see that breached organizations work hard to preserve and repair their images. Here, we will introduce a model for analyzing different strategies, in order to evaluate their effectiveness.

Benoit lists five categories of image repair strategies:¹⁷

17. Benoit, Accounts, Excuses, and Apologies, 28.

1. Denial - The accused denies that the negative event happened or that he or she caused it.

2. Evasion of Responsibility - The accused attempts to avoid responsibility, such as by claiming the event was an uncontrollable accident or that he or she did not have the information or ability to control the situation.

3. Reducing Offensiveness - The accused attempts to reduce the audience’s negative feelings through one of six variants:

   • Bolstering - Highlighting positive actions and attributes of the accused

   • Minimization - Convincing the audience that the negative event was not as bad as it appears

   • Differentiation - Emphasizing differences between the event and similar negative occurrences

   • Transcendence - Placing the event in a different context

   • Attacking one’s accuser - Discrediting the source of accusations

   • Compensation - Offering remuneration in the form of valued goods and services

4. Corrective Action - The accused makes changes to repair damage and/or prevent similar situations from occurring in the future.

5. Mortification - The accused admits that he or she was wrong and asks for forgiveness.

All of these image repair strategies can, and have, been employed in data breach responses, some to greater effect than others.

3.2.5 Notification

Notification is perhaps the most critical part of data breach crisis communications, and it can have an enormous impact on public perception and image management. Key questions include:

• When should you notify key stakeholders? Rarely, if ever, are all the facts about a data breach known up front. On the one hand, a quick notification can signal that you care and are acting in good faith. On the other hand, it may be the case that by waiting, you find out more information that reduces the scope of the notification requirements. There is no “right” time, and crisis management teams have many tradeoffs to consider.

• Who should be notified? There are internal notifications (e.g., upper management, legal) In some cases, it may be appropriate to bring in law enforcement. Certain states require notification to an attorney general or other parties. Depending on the type of data exposed, it may be necessary to alert consumers or employees.

• How should you notify? Paper mailings, email notification, a web announcement, or phone calls are all common options. Your notification requirements vary depending on the type of data exposed, the number of data subjects affected, the geographic location of the data subjects, and other factors. Notification can be expensive, and often cost is a limiting factor. Today, many organizations take a multipronged approach, which includes email or paper individual notifications, supported by a website FAQ and a call center where consumers can get more information.

• What information should be included in a notification? On the one hand, you want to build trust and appear transparent. It’s also important to give data subjects enough information to reduce their risk, whenever that is possible. At the same time, current laws are not in line with the public’s expectations of privacy. Typically information that is not specifically regulated (such as shoppers’ purchase histories or web surfing habits) are not explicitly mentioned in data breach announcements, even if it is likely that information has been exposed.

In this section, we highlight some of the key challenges that breach response teams face when determining when, who, and how to notify.

3.2.6 Uber’s Skeleton in the Closet

Woe to the company that keeps a data breach secret—and then eventually is unmasked.

Uber is one such company. In 2016, Uber fell victim to cyber extortion—and made a bad choice. An anonyous hacker (who called himself “John Dough”) emailed the company, claiming to have found a vulnerability and accessed sensitive data. It turned out that he had gained access to the company’s cloud-based repository at GitHub, where he found credentials and other data that enabled him to break into Uber’s Amazon web servers, which housed the company’s crown jewels—source code and data on 57 million customers and drivers (including approximately 600,000 driver’s license numbers).

The hacker politely but firmly demanded a payoff for the discovery of the “vulnerability.” At the time, Uber had a bug bounty program, managed by the speciality company HackerOne. After verifying the hacker’s claims, Uber discussed payment for the hacker’s report. Rob Fletcher, Uber’s product security engineering manager, informed John Dough that the bug bounty program’s typical top payment was $10,000. The hacker demanded more.

“Yes we expect at least 100,000$,” the hacker wrote back. “I am sure you understand what this could’ve turned out to be if it was to get into the wrong hands, I mean you guys had private keys, private data stored, backups of everything, config files etc. . . . This would’ve heart [sic] the company a lot more than you think.”²¹

21. “Uber ‘Bug Bounty’ Emails,” Document Cloud, https://www.documentcloud.org/documents/4349230-Uber-Bug-Bounty-Emails.html (accessed March 19, 2018).

Uber acquiesced and arranged for payment of $100,000. It turned out that there were actually two hackers—the original “John Dough,” based in Canada, and a second person—a 20-year-old man in Florida who had actually downloaded Uber’s sensitive data. According to reports, “Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged.”²²

22. Joseph Menn and Dustin Volz, “Exclusive: Uber Paid 20-Year-Old Florida Man to Keep Data Breach Secret: Sources,” Reuters, December 7, 2017, https://www.reuters.com/article/us-uber-cyber-payment-exclusive/exclusive-uber-paid-20-year-old-florida-man-to-keep-data-breach-secret-sources-idUSKBN1E101C.

Internally, the case was managed by Uber’s CSO, John Sullivan, and the company’s internal legal director, Craig Clark. Reportedly, Uber’s CEO at the time, Travis Kalanick, was briefed. Uber’s team made the decision that notification was not required, and the case was closed—or so they thought.

3.3.1 Competence Concerns

After announcing the breach on September 7, 2017, Equifax was immediately off on the wrong foot. Consumers rushed to freeze their credit, only to find that Equifax’s freeze request page was unresponsive.²⁷

27. Brian Krebs, “Equifax Breach: Setting the Record Straight,” Krebs on Security, September 20, 2017, https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-record-straight.

Equifax also set up a website that consumers could visit to find out whether their data was exposed, but as investigative journalist Brian Krebs reported, the site was “completely broken at best, and little more than a stalling tactic or sham at worst.”²⁸

28. Brian Krebs, “Equifax Breach Response Turns Dumpster Fire,” Krebs on Security, September 8, 2017, https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire.

The site asked consumers to submit the last six digits of their SSNs in order to determine whether they were affected. Consumers who did enter their information received vague and often conflicting results. Krebs reported that “[i]n some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.”²⁹ Krebs himself did not receive a yes-orno answer, but rather “a message that credit monitoring services we were eligible for were not available and to check back later in the month.” These responses were infuriating for consumers, who were anxious and frustrated that the promised corrective action was not available.

29. Krebs, “Equifax Breach Response.”

Tensions were further inflamed when consumers discovered that in order to sign up for Equifax’s free TrustedID credit monitoring service, the terms of use required them to forfeit their rights to participate in a class-action lawsuit (language that Equifax later said had been included inadvertently). Equifax quickly changed the language following public outcry.³⁰

30. Mahita Gajanan, “Equifax Says You Won’t Surrender Your Right to Sue by Asking for Help After Massive Hack,” Time, September 11, 2017, http://time.com/4936081/equifax-data-breach-hack.

Ironically, many web browsers flagged the breach information site as a phishing attack in the first few hours after the announcement. To make matters worse, the site was riddled with security holes. “[V]ulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.”³¹ While building a brand-new, interactive website may have been nice in theory, Equifax’s developers—reportedly associated with the outside public relations firm Edelman—clearly did a rush job.³²

31. Zack Whittaker, “Equifax’s Credit Report Monitoring Site Is also Vulnerable to Hacking,” ZD Net, September 12, 2017, http://www.zdnet.com/article/equifax-freeze-your-account-site-is-also-vulnerable-to-hacking.

32. Krebs, “Equifax Breach Response”; Lily Hay Newman, “All the Ways Equifax Epically Bungled Its Breach Response,” Wired, September 24, 2017, https://www.wired.com/story/equifax-breach-response.

“Talk about ham-handed responses. . . . This is simply unacceptable,” said U.S. Representative Greg Walden.³³

33. Alfred Ng, “Equifax Ex-CEO Blames Breach on One Person and a Bad Scanner,” CNET, October 3, 2017, https://www.cnet.com/news/equifax-ex-ceo-blames-breach-on-one-person-and-a-bad-scanner.

Right away, Equifax appeared incompetent. This negative image was exacerbated days later, when the media discovered that Equifax’s official Twitter account had accidentally tweeted the link to a phony phishing site, securityequifax2017.com, four times during the response. “When your social media profile is tweeting out a phishing link, that’s bad news bears,” said security professional Michael Borohovski, cofounder of Tinfoil Security.³⁴

34. Newman, “All the Ways.”

As details of Equifax’s cybersecurity issues were exposed, it painted an increasingly ugly picture. Just days after the breach was announced, Krebs reported a ridiculous vulnerability in a portal used by Equifax Argentina employees for credit dispute management: the portal was “wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin.’”³⁵

35. Brian Krebs, “Ayuda! (Help!) Equifax Has My Data!” Krebs on Security, September 12, 2017, https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data.

Two days later, Equifax confirmed in a statement that the megabreach had been caused when hackers broke into a web server, exploiting a well-known vulnerability in the Apache Struts framework. The vulnerability had been announced in March 2017, and Equifax was hacked in May—meaning that the company had more than two months to patch the system but didn’t.³⁶ Equifax announced the cause only after a research firm published an uncited report implicating the Apache Struts vulnerability, which sparked rumors.³⁷ The day after the statement was released, the company’s chief information officer and chief security officer stepped down.

36. Lily Hay Newman, “Equifax Officially Has No Excuse,” Wired, September 14, 2017, https://www.wired.com/story/equifax-breach-no-excuse.

37. Robert W. Baird & Co., “Equifax Inc. (EFX) Announces Significant Data Breach; -13.4% in After-Hours,” Baird Equity Research, September 7, 2017, https://baird.bluematrix.com/docs/pdf/dbf801ef-f20e-4d6f-91c1-88e55503ecb0.pdf.

Equifax’s CEO later blamed an employee for not installing the patch and said a subsequent security scan did not detect the issue. Consumers didn’t buy the excuse, if it was one.

Senator Elizabeth Warren tweeted: “It’s outrageous that Equifax—a company whose one job is to collect consumer information—failed to safeguard data for 143M Americans.”³⁸

38. Brad Stone, “The Category 5 Equifax Hurricane,” Bloomberg, September 11, 2017, https://www.bloomberg.com/news/articles/2017-09-11/the-category-5-equifax-hurricane.

3.3.2 Character Flaws

The integrity of Equifax, as a corporation, as well as its leadership team, was called into question immediately due to the length of time taken before notifying. “Equifax waited six weeks to disclose the breach,” wrote reporter Michael Hiltzik in the Los Angeles Times the day following the company’s announcement. “That’s six weeks that consumers could have been victimized without their knowledge and therefore left without the ability to take countermeasures. Equifax hasn’t explained the delay.”³⁹ It wasn’t just the public that was kept in the dark; CEO Smith also waited 20 days to inform the company’s board, despite the massive scale of the breach.⁴⁰

39. Michael Hiltzik, “Here Are All the Ways the Equifax Data Breach Is Worse than You Can Imagine,” Los Angeles Times, September 8, 2017, http://www.latimes.com/business/hiltzik/la-fi-hiltzik-equifax-breach-20170908-story.html.

40. Liz Moyer, “Equifax’s Then-CEO Waited Three Weeks to Inform Board of Massive Data Breach, Testimony Says,” CNBC, October 2, 2017, https://www.cnbc.com/2017/10/02/equifaxs-then-ceo-waited-three-weeks-to-inform-board-of-massive-data-breach-testimony-says.html.

The delay triggered deep suspicion. “New York Attorney General Eric Schneiderman wants to know when the company learned about the breach and how exactly it happened,” Bloomberg reported. Questions of integrity grew when it became known that three senior Equifax executives had sold shares in the company worth nearly $2 million in the days following the breach discovery.

3.3.3 Uncaring

In the aftermath of the breach announcement, Equifax’s call centers couldn’t come close to handling the flood of phone calls. Consumers were infuriated. The lack of two-way communication contributed to a growing sense that Equifax did not actually care about the consumer.

Later, in his congressional testimony, former CEO Smith apologized:⁴³

43. U.S. Comm. on Energy and Commerce, Prepared Testimony of Richard F. Smith.

We were disappointed with the rollout of our website and call centers, which in many cases added to the frustration of American consumers. The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed. The company dramatically increased the number of customer service representatives at the call centers and the website has been improved to handle the large number of visitors. Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many.

Smith closely integrated his personal image with Equifax’s breach response. On the same day as the breach announcement, Equifax released a video featuring Smith—presumably in an attempt to humanize the company. It didn’t do them any favors. Smith essentially read the company’s statement out loud with a wooden expression, looking like a deer in headlights. Although Equifax wisely included an explicit apology in the message, it was buried halfway through the video, and the words were not enough to overcome Smith’s strained, unemotional demeanor.⁴⁴

44. Equifax, “Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer Data,” YouTube, September 7, 2017, https://www.youtube.com/watch?v=bh1gzJFVFLc.

The Equifax breach quickly exploded into a “dumpster fire” (as Krebs put it). Smith was forced to resign after a 12-year tenure, just weeks after the breach was announced.

3.3.4 Impact

Equifax’s communications following its breach left stakeholders with the following impressions:

• Incompetent - Smith did not oversee Equifax’s cybersecurity program effectively, as evidenced by the breach and gross fumbles with technology in the company’s response.

• Lack of Character - Equifax’s delayed notification, along with rumors of an executive stock dump during the breach investigation, caused the public to question the integrity of the company and its leadership.

• Uncaring - Smith’s wooden performance in Equifax’s public relations video, combined with the call center frustrations, left the strong impression that Equifax did not care about consumers.

As a result, the breach badly damaged Equifax’s image and destroyed trust that key stakeholders had in the company’s leadership.

Throughout the acute phases of the crisis, Equifax’s stock value clearly changed based on the company’s communications. Stock prices fell from $142.72 on the day of the announcement to a low of $92.98 a week later on September 15, 2017, as shown in Figure 3-2. Things started to pick up with the resignation of the CIO and CSO; clearly shareholders began to rebuild confidence with a change of management. With Smith’s resignation, Equifax’s stock rose yet again. By the end of the year, share prices were still down, but slowly recovering.

3.3.5 Crisis Communications Tips

There are many lessons to be learned from the Equifax breach, but perhaps none are so well illustrated and so poignant as those relating to crisis communications. In today’s day and age, many CEOs—too many—will find themselves in much the same position as Smith.

In those first few hours, days, and weeks, keep in mind the following priorities:

• Maintain Trust with Your Stakeholders. Remember the 3 C’s: Competence, Character, and Caring.

• Tell It Early, Tell It Yourself. Maintain a congenial relationship with the media. By providing a quote when contacted by the press, you send the message that you are not trying to hide.

• Tell the Truth. If you tell the truth, you won’t have to suffer the consequences of a scandalous lie.

• Make It a “One-Day” Story. Few data breach stories are ever really one day, but get as close as you can by consolidating announcements and responding to the press as quickly as possible. Don’t give journalists incentive to “dig.”

• Take Responsibility. This is the foundation for rebuilding trust.

• Apologize Clearly and Quickly. A sincere apology diffuses anger and shows respect for your stakeholders.

• Listen! Prepare your staff to listen to stakeholders. For example, you might consider opening a call center in response to the breach, so that members of the public can quickly speak with a real human. Likewise, shareholders, regulators, and other stakeholders need a point of contact who can listen to their concerns and diffuse strong emotions.

• Make Sure Your Tools Work. Too often, when a breach occurs, breached companies offer services to the public, such as a hotline or credit monitoring, but the technology or processes to support them are broken or not immediately available. This further inflames sentiments.

• Make Amends. Use image repair tactics such as compensation or corrective action to restore your organization’s image.