When an incident response team is faced with a potential security breach or data loss, there are myriad concerns to address. Many incident management plans address technical issues such as investigation, containment and recovery. But, it is essential that each phase of the plan also covers communication – a key requirement for effective incident response.
The incident communication strategy must cover compliance-related issues, media communications and internal communications. And, it must strike a balance between openness and protection. Revealing more information than necessary could result in undue escalation or exposure of an exploitable weakness that has not yet been remedied. However, withholding information can cast your organization in a negative light and create the impression that you have something to hide.
COMMUNICATION-RELATED COMPLIANCE ISSUESFollowing California’s SB 1386 in 2002, a majority of states have passed laws requiring disclosure of data security breaches. Understanding the legislation that is relevant to your organization and the impact it has on incident reporting should be a part of the planning process rather than a reactionary exercise during an actual event.
Beyond the chief security officer and the chief information officer, including an organization’s legal department or counsel on the incident response team is strongly recommended to help with these increasingly complex issues. Criteria to consider when interpreting legislation include the scope of individuals affected, the specific data types included and the required method of disclosure.
There are few similarities among the various state laws, other than that they apply to agencies, businesses or individuals doing business in the respective states, and they require some form of notification in the event of a breach. Different states’ definitions of concepts such as “personal data” and “security breach” can vary widely. Notification requirements vary as well. For example, Arkansas SB 1167 requires that consumers be notified of a security breach affecting data in electronic or physical form, while Florida’s HB 481 does not require notification “if after appropriate investigation or consultation with law enforcement, (the) person (responsible has) reasonably determined (that the) breach has not and will not likely result in harm to individuals.”
In addition, disclosure announcements and incident communications themselves must not create a violation of any regulation or privacy requirements -- an astute spy can potentially take bits and pieces of seemingly harmless, unclassified information and deduce a state secret.
HANDLING THE MEDIAEstablishing a rapport with media outlets is as important to incident response as a relationship with law-enforcement agencies. Your organization must be prepared for all levels of attention from local news to national wire services. (See the News & Analysis article in the November issue of Security Magazine. – Editor)
Advanced preparations for press releases, announcements or disclosure statements should be coordinated with the business unit responsible for communications, such as public relations, marketing or corporate communications department. Including a representative of this department on the incident management team is advisable; as a part of the team, they’ll be involved from the beginning of an incident, allowing them to personally witness the entire process and convey more complete information. A dedicated technical liaison should be identified to assist with translation of detailed data into language that is clear and understandable by the intended audience -- remember that a statement might not be reported in its entirety, and sound bites are often taken out of context creating far more damage than the incident itself.