The definition of a “crisis” can mean different things: a severe business interruption or disaster, legal issue, media inquiry into a company event, or a data security breach. Crisis communications can mean different things to different people. What we’re talking about today is communicating to your customers (including shareholders and stockholders) to notify them that a security event or breach has taken place and to let them know the steps you will take to resolve the situation.
Data breaches are increasing at an alarming rate, rising 47 percent from 2007 to 2008 according to Identity Theft Resource Center’s 2008 Breach Report. Those are just the breaches that are reported. The possible causes of a security breach are countless as well, from a stolen laptop, network intrusion, lost flash drive, to printed statements mis-matched in recipients’ envelopes (personal customer information mistakenly viewed by someone other than the customer). Security breaches happen almost every day in the United States.
The regulatory and financial implications of a security breach can be devastating. Financial implications result from not only customer turnover or stock downturn with news of a breach, but also fines and settlements that are likely to result from the incident. In June of this year, one of the nation’s largest retailers was charged to pay millions to cover the expenses related to multiple states’ investigations of a security breach. Another retailer incurred fines in the millions resulting from HIPAA violations. Still, “lost business accounts for up to 69 percent of data breach costs” according to the 2008 Ponemon Institute Annual Study: Cost of a Data Breach. Can you afford not to be prepared?
Legal requirements for security incidents vary by state. It is important to know the rules for the state in which your company resides, and also the rules for states where your customers reside. Keeping on top of these changing laws should be a top priority for every company’s legal department. Each state provides their definition of a breach, what the disclosure requirements are (what method of communication is required to notify your customers), the timeframe for disclosure, and if any secondary measures are required (the need to provide free credit monitoring or fraud protection services). Most state laws are currently vague in the timeline requirement for notifying customers of a breach, but Maine has just passed a law requiring notification no longer than seven business days after a law enforcement agency determines that a notification will not compromise a criminal investigation. More states are likely to adopt this timeframe requirement. What that means to you as a company is that you need to have a crisis communications plan in place before you need it, tested and ready to act when and if you need it.
The three key elements of a security breach crisis communications plan are based on the state requirements for data breach notification: 1) Who needs to get the message, who was affected by the breach, 2) What is the message, and what follow up will be provided, and 3) what method to use to send the message. Let’s take a closer look at each.
Determining who will get the message is the easy part – what data file was lost or stolen, what customer base was affected by the network intrusion. What must also be considered is what government agencies, regulatory agencies and law enforcement agencies must be contacted. While these agencies won’t be part of the general notification (mail, e-mail or web notification), they may require to be informed of the security event and the details surrounding it.
For the message of your communications, remember the six W’s rule: What happened, who was affected, when did it happen, what steps are being taken to resolve the situation, who should the communication come from within your organization and what follow up information will you provide. Messages should be developed and approved by legal prior to need and include logos and signatures within the data file for quick turnaround using white paper, instead of waiting for custom letterhead. Change management procedures should be put in place to update logos or signatures as needed to insure the print ready data file will be complete when you need it. Keep in mind that the more personalized the communication, the more information provided the more reassured your customers will feel. You will also need to communicate what follow up information you are providing. If you are required to provide credit or fraud counseling, these details should be included, as well as contact information (Web site, phone number, e-mail address) for customers who may have questions or concerns.
Finally, how will you communicate your message – e-mail, printed letter, phone call, or web notification? Your state requirements will provide parameters for what is required, but this is one instance where less is most definitely not more. You want your customers to know that you are taking every step possible to secure their information. Using multiple channels of communication will insure your message is received and invoke customer confidence.
If your organization has not considered a crisis communications plan before, now is the time. A search of “data breach incidents” on the internet will provide plenty of evidence for the importance of such a plan. Seven security breaches were reported in November alone … and that’s just the number that has been reported. Gather your continuity and risk team and determine if you have the time and expertise to research the legal requirements, develop the overall plan, and if you have the production time and capacity to produce any communications required. If you need assistance in any of these areas there are vendors who can provide part or all of the plan requirements. Vendors should have knowledge of legal and regulatory requirements, crisis communications planning, and message formatting. Crisis communications vendors should be able to provide multi-channel communication options (e-mail, mail, web, call center), have security standards in place to meet the sensitive needs of the communications, and have the ability to execute your requirements immediately at time of need.
Planning for a data security breach is a lot like planning for a business interruption or disaster. Plan ahead, test often and be prepared for the worst. Keeping your customers informed is your best defense against customer turnover, negative press and devastating financial loss. It’s not only your best defense, it’s the law.
For more information on state law requirements visit: http://www.ncsl.org/Default.aspx?TabId=13489.
About The Author
Christine Durfee serves as Mail-Gard’s Business Partner and Marketing Manager. Her responsibilities include developing and implementing Mail-Gard’s marketing strategies, public relations and trade show efforts. Christine also works with Mail-Gard’s business partners to enhance its reach into additional market segments. She joined Mail-Gard as Customer Service Manager at its inception in 1996, and then worked as a Sales Executive for a number of years prior to focusing her efforts to marketing full time.