1-800-350-7209 www.breachshield.com BreachShield SM Corporate Data Breach Solutions Their information | Your reputation | Our experience. 100 Connecticut Avenue Norwalk, CT 06850-3561A S C B R E A C H S H I E L D | D ATA B R E A C H R E S P O N S E G U I D E AFFINION SECURITY CENTER | BREACHSHIELD Data Breach Response Guide www.breachshield.com
Contents 1 Introduction 04 An Explanation of Affinion’s Expertise 05 The Facts About Data Breaches What Is a Data Breach? 07 FAQ & Terminology 10 Case Study 1.1 | Insurance Services Company 2 Explanation of Laws 11 States That Require Disclosure 11 Red Flag Rules 3 Breach Preparation & Response 12 Preparation 12 Assemble Team 13 Documentation 1 13 Response/Protection Introduction 15 Case Study 3.1 | Large Healthcare Company 16 Case Study 3.2 | Large Grocery Chain 4 Communication 17 Crisis Communication 20 Case Study 4.1 | The Largest Data Breach in History 21 Case Study 4.2 | Federal Government Agency 22 Case Study 4.3 | Financial Institution 5 Solutions 23 Notification 23 Enrollment Options 23 Member Services 6 Breach Recovery Materials 25 Sample Press Release 26 Sample Letter to Employees 28 Sample Letter to Customers 7 Resources 29 Industry Experts, Contact LeadsASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 03
An Explanation of Affinion’s Expertise For over 35 years, Affinion Group has provided customer engagement solutions for more than 5,300 clients across multiple industries. In 1991, Affinion Group launched the first identity theft protection service available, PrivacyGuard®. With its development of IdentitySecure , acquisition of SM CardCops , and strong industry partnerships, Affinion has maintained its SM leadership by creating and delivering the most comprehensive, proactive and preventative solutions in the marketplace. Leading fraud experts, including Frank Abagnale, subject of the book and movie Catch Me if You Can, have endorsed Affinion Security Center’sIntroduction protection solutions. As a natural extension to our world-class protection service suite, Affinion launched BreachShield , a full service, rapid response data security breach SM response and delivery program. National and multi-national enterprises, including those in the financial, retail and travel industries, partner with1 Affinion Group for our BreachShield data breach solutions. Since 2007, Affinion’s BreachShield services have been provided to over five million individuals whose identities have been compromised by a security breach. For more information on how to implement your breach strategy and solution, please call a BreachShield security expert at 1-800-350-7209.04 Their information | Your reputation | Our experience.
The Facts About Data Breaches In the past 12 months, the number of identity fraud victims increased 22% to 9.9 million adults, for an annual incidence rate of 4.32%.1 It is now more important than ever to remember your customer’s experience during a breach incident. The customers and/or employees should easily be able to understand the breach solution you have put in place. Poor communication and execution could cause a significant customer service challenge and could lead to negative PR, heightened media scrutiny, and increased cost. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.5% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).2 1 Introduction Increasing incidents where third party is responsible; growing costs: Since 2005, the percentage of incidents where a third party such as an outsourcer or consultant was responsible for a data breach has increased from 21% in 2005 to 29% in 2006 to 40% in 2007, to 44% in 2008. After experiencing a large gap, the difference in cost for a data breach based on responsibility has become increasingly stable. In 2005, the difference in per- record compromised costs between third-party and internal responsibility for a breach was $12. In 2007, that difference grew to $67, and in 2008 that amount was $52. Third-party outsourcers or consultants often analyze or process large volumes of customer-related information.2 1 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet as Protection Increase 2 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 05
The Facts About Data Breaches (cont.) • As of Oct. 1, 2008, 44 states and the District of Columbia require companies to notify individuals (consumers or employees) regarding a potential or actual breach • Social Security numbers (38%) and names and addresses (43%) were the data most frequently compromised. Although 15% of victims suffered ATM or debit PIN compromise, and 13% credit PIN compromise, only 9% of victims went on to experience ATM cash withdrawls. Both fraudulent online and in-person purchases increased in 20081 • The total annual fraud amount in 2008 measured $48 billion, versus $45 The three main forms of identity theft billion in 20071 and their frequency, as determined by the Federal Trade Commission, through a survey of actual identity • Increased availability of public information combined with easy Internet theft victims. access has left consumers vulnerable to far more devastating types of identity theft • New accounts and other fraud • Misuse of existing non-credit card • Over 88% of all cases this year involved incidents resulting from account or account number negligence. Per-victim cost for data breaches involving negligence costIntroduction • Misuse of existing credit card $199 per record versus malicious acts costing $225 per person2 or credit card number Identity Theft Resource Center Report, • On average, consumers spent nearly $500 of their own money January 8, 2008 to clear up fraud31 • New account fraud cost the industry $18 billion and $579 per victim3 • Healthcare and financial services suffer highest customer loss: Healthcare and financial services companies have the highest average rate of churn – 6.5% and 5.5%, respectively. High churn rates reflect the fact that these industries manage and collect consumers’ most sensitive data. Additionally, the average cost of a healthcare breach ($282) is more than twice that of an average retail breach ($131). Thus, another sign that consumers may have a higher expectation for the protection and privacy of their healthcare records3 • Trust may be intangible and hard to quantify, but the result of breaking that trust is clear, as the cost of lost business represents 69% of the total cost of a data breach3 • The majority of breaches in 2008 occurred at merchants and businesses (37%), followed by the education sector (22%)4 1. Javelin 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet as Protections Increase 2. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009 3. Javelin Strategy & Research 2009 Identity Fraud Survey Report 4. Javelin Strategy & Research 2008 Data Breaches06 Their information | Your reputation | Our experience.
FAQ & Terminology What is a data security breach? In simple terms, a data security breach occurs any time there is unauthorized access to company data. How do data security breaches occur? Lost laptops and system failure are the main causes of data breaches (35 and 33% respectively). Within the classification of “systems glitch,” respondents cited a number of different issues, including software applications development that did not anonymize live customer data, merger/acquisition activities in which customer data was sent to an unrelated law firm by mistake, credit card processing systems infiltrated by malware, social engineering attacks and insecure wireless connectivity, among other IT-related glitches which caused a breach.1 1 Introduction What is the impact of a data security breach on an organization? The impact of a data security breach can be far reaching and long lasting. This includes loss of data, compliance pressures, customer loss or attrition, diminished trust, reduction in brand equity, litigation, and negative media coverage. Any and all of these issues have the potential to erode shareholder value and customer confidence. As such, the smooth execution of a comprehensive breach response is critical to managing and reinforcing the trust of your clientele. In fact, an effective response can actually transform the negative implications of a data security breach into a valuable brand- enhancing and loyalty-building opportunity. How should I notify the impacted population that a data security breach has occurred? It is important to alert the impacted population in a clear, concise and timely manner. However, merely informing your clientele of a data security breach could prove catastrophic. A more effective post-breach strategy is to brief clientele on the proactive measures you are implementing to protect them. Taking a responsive leadership role in your communication strategy can play a significant role in restoring – and even increasing – clientele loyalty after a data security breach occurs. 1. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 07
FAQ & Terminology (cont.) What should I offer to the impacted population of a data security breach? What you provide to your clientele will depend on the risks ascribed to the particular data security breach. However, general best practices include the provision of: • Credit reports from the three major credit reporting agencies • Credit monitoring alerts • Fraud alerts • Identity theft insurance • Identity fraud resolution services Your ASC BreachShield consultant will be able to determine the most effective benefits configuration based on the unique circumstances and characteristics of your data security breach. If a data security breach occurs, what am I required to do by law? Each state has differing regulations about the reporting and recompense for resolving a data security breach. In addition, if your organization touches clientele across state lines, you may be subject to different compliance requirements based on the location of the affected parties. You should checkIntroduction with your legal department regarding your legal requirements. Why should I take action beyond my legal obligations? There are many reasons to address a data security breach even if you are not required to do so by law. In a world where information can be shared1 instantaneously, you need to consider possible repercussions, should your clientele be notified of your data security breach by another entity. Additionally, notifying and protecting the impacted population reflects the responsibility that your organization feels toward its customers, employees, suppliers and other valued partners. Lastly, a seemingly negative event, when handled well, can actually be leveraged as a relationship building activity. What are Credit Monitoring and Alerts? This service monitors changes to an individual’s credit records with one of the national credit reporting agencies (Credit Bureaus). Members will be notified of any changes to their records on file with that agency. Those changes could include events such as new accounts opened or a change in credit score. What is Triple-Bureau Credit Report with Triple-Bureau Credit Score? This service delivers Credit Reports and Credit Scores from all three major credit reporting agencies. Customers also receive a comprehensive analysis, detailing which factors impact their rating.08 Their information | Your reputation | Our experience.
FAQ & Terminology (cont.) What is the difference between Identity Fraud Resolution and Identity Restoration? Resolution services provide consumers with the tools they need to remedy the negative impact of identity theft. Additionally, consumers are provided with a dedicated caseworker who will work with the individual throughout the duration of his or her case until all issues are resolved. Identity Restoration requires that an individual sign over his or her power of attorney to a third party who will then be responsible for the case. Identity Restoration may be a source of concern to a victim because it requires consumers to hand over power of attorney at a moment of crisis. Also, the individual’s active involvement in his or her case mitigates risk and ensures accuracy. With the help of ASC’s Identity Fraud Resolution caseworkers, victims of identity theft will have all the tools they need to resolve their cases. 1 What is a Fraud Alert? A fraud alert is something that the major credit bureaus attach to your Introduction credit report. When you, or someone else, try to open up a credit account by getting a new credit card, car loan, cell phone, etc., the lender should contact you by phone to verify that you really want to open a new account. If you aren’t reachable by phone, the credit account should not be opened. Do Fraud Alerts always work? Not necessarily. There are many forms of identity theft that do not pass through the credit bureaus, thereby making a fraud alert alone insufficient. That’s why ASC recommends a comprehensive solution that addresses all the forms of identity theft cited by the Federal Trade Commission.ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 09
Case Study 1.1: Insurance Services Company Background In Dec. 2007, a large provider of insurance products suffered a data breach that impacted more than 500,000 people. The breach exposed personal and financial information, including names, addresses, Social Security numbers, bank account numbers, employer information, salary information, medical insurance information and more. Notification The company alerted its partners, and began notifying customers in March 2008. It spent more than $700,000 to mail notification letters to the affected population. However, the letters left many end-customers confused, because they had no direct relationship with the parent company that experienced the breach. Due to budgetary constraints at the time, the breached company chose not to offer any type of credit monitoring or identity theft protection to those customers who had their information compromised. ReactionCase Study 1.1 Negative media stories about the company began to circulate and, combined with legal pressures, caused the company to seek help from Affinion’s breach response team. The company was interested in a low-cost breach solution, as it only had a remaining budget of $500,000 to spend on a breach resolution. The breach response team immediately implemented a second mailing to all customers advising them that their information had been stolen, and1 offering them identity theft protection services. Significant time and money could have been saved had this company had a breach response plan in place, and executed it immediately after discovering the breach. Lessons Learned Explain the relationship. Since the breached company in question was a B-to-B service provider to the companies that consumers dealt with, the consumers were confused by the notification letters. Optimize call center communication. Call center agents should expect that customers will be angry and scared when they call for more information. Provide call center agents with facts, background information and remedies so they can explain what happened, and offer the callers support. Offer the solution to all customers. Offer identity theft protection services to all of your affected or potentially affected customers. This may lessen consumer anger, and in this case, may have made them less likely to file the class-action lawsuit. Plan your communication. Save time, money and damage to your company’s reputation by planning your response to a data breach in advance.10 Their information | Your reputation | Our experience.
Explanation of Laws As of Oct. 1st, 2008, in addition to Washington DC and Puerto Rico, there are 44 states that have breach notification laws. The only states that did not have these laws are: Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota. Who is requiring compliance? Federal Deposit Insurance Corporation (FDIC) Federal Reserve Board Office of the Comptroller of the Currency (OCC) Office of Thrift Supervision (OTS) National Credit Union Administration (NCUA) Federal Trade Commission (FTC) Red Flags Final rule adopted under sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”) regarding identity theft red flags for financial institutions and procedures that users of consumer 2 reports should use in the event they receive notices from consumer reporting agencies (“CRAs”) of address discrepancies. Explanation of Laws Section 114 of the FACT Act requires the agencies to jointly issue regulations and guidelines identifying patterns, practices and specific forms of activities that indicate the possible existence of identity theft. Section 114 also directs the agencies to prescribe joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures to identify possible risks to account holders or customers. The rules went into effect on Jan. 1, 2008, and compliance is required by May 1, 2009. What is required? The new rule requires financial institutions to implement a written program designed to detect, prevent and mitigate identity theft in connection with a covered account. The program must be tailored to the institution’s size, complexity and the nature of its activities. The program must also contain reasonable policies and procedures that: 1) Identify relevant Red Flags for covered accounts and incorporate them into the program. 2) Detect Red Flags that have been incorporated into the program. 3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.Information concerning legalaspects of security breaches may 4) Ensure the program is updated periodically.have changed since the publicationof this booklet. Always consultyour legal counsel regarding to The program is to be approved by the institution’s board of directorssecurity breaches. or an appropriate board committee. ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 11
Breach Preparation & Response It is important to prepare and plan ahead by completing a Data Breach Incidence Response Plan. Should a breach occur, you are well-positioned to move swiftly by following your completed Data Breach Incident Response Plan. It is important to document all ongoing events, all people involved and all discoveries into a timeline for evidentiary use. BreachShield’s data security professionals are experts at developing effective data breach solutions for before, during and after a breach incident. However, advanced preparation can greatly reduce the time it takes to resolve a data breach, as well as minimize the inevitable panic and confusion that stems from such a critical event. Contacting BreachShield prior to an actual breach enables your organization to have an effective response strategy already in place and ready to implement at a moment’s notice. Another helpful tactic is to develop a set of breach scenarios that could affect your clientele, and define the tasks that need to be accomplished to help resolve potential issues. In addition, designating the incident response teams and assigning specific tasks to each team member before a breachBreach Preparation will help familiarize the responsible parties to their duties, streamlining response times and reducing the chance of error during an actual breach.& Response Incident Response Action Plan Once confirmation is established, it is essential to execute a timely incident response plan.3 Assemble your incident response team Designating the members of the incident response team – and providing the necessary training – prior to the actual data breach will provide quicker recovery and cost savings over the use of ad hoc teams. BreachShield recommends that your incident response team include at least one senior member from each of the following departments: • Executive Management • Legal • Customer Service • Public Relations • IT • Compliance • Risk Management12 Their information | Your reputation | Our experience.
Breach Preparation & Response (cont.) Select an incident response project lead In our experience, the best incident response project leads demonstrate an acute understanding of the organization’s current customer relationships and are able to strategize effective ways to preserve brand equity. Document all relevant information Accurate documentation of the events leading up to, during, and after the data breach will aid in both the incident response team’s investigation as well as prevent future occurrences. BreachShield suggests compiling the following information while simultaneously preserving all evidence in its original form: • Date and time of data breach • Method of data breach • Extent of data breach • Quantity and identifying factors of the impacted population 3 Your BreachShield consultant will be able to determine the most & Response Breach Preparation effective benefits configuration based on the unique circumstances and characteristics of your security breach. Restore and reinforce the breached data The measures taken by the incident response team are dependent on the type and scope of the specific data breach incident. Some standard protocols include determining the point of compromise and securing it, managing the affected systems and enacting preventative measures. Protect the affected population BreachShield recommends taking a proactive and thorough approach toward protecting the affected population. This can help the impacted organization meet compliance standards, reduce potential liabilities and position itself as a responsible leader. It also helps preserve brand equity by maintaining control of the notification process as opposed to risking awareness through other sources.ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 13
Breach Preparation & Response Please remember that every situation is different and some situations may not require you to notify your customers. Depending on the type of data that was breached, a letter may or may not be required. Always consult your legal counsel. If your counsel deems it necessary to contact your customers and/or employees please consider the following: The sooner you notify anyone involved the sooner they can take action to protect themselves. It is crucial that all notification be clear and concise. Customers should understand the company is aware of the problem and that it is taking steps to help with a resolution. Communication of this sort requires great care, as improper notification could actually lead to more financial loss. BreachShield helps organizations of all sizes carefully tailor their incident response notification strategy to minimize potential disruptions while simultaneously placing the affected population at ease.Breach Preparation BreachShield’s security experts are available 24/7 to develop timely, effective data breach solutions that address the needs of your specific& Response incident and organization. We can help with: list management services, notification letter development, printing and mailing services and call center support (pre- and post-enrollment).314 Their information | Your reputation | Our experience.
Case Study 3.1: Large Healthcare Company Background On Mar. 26, 2007, the names and Social Security numbers of 17,000 current and former employees of a major healthcare corporation were compromised when the spouse of an employee downloaded peer-to-peer file sharing software onto a company-issued laptop. Notification Nine weeks after the company confirmed the exposure, it notified the affected employees in a well-written letter, outlining how the data was exposed and what steps the company was taking to help protect those affected. In addition, the company issued one year of free credit monitoring services and a $25,000 insurance policy to each individual affected. The company’s notification letter also provided information and resources for those affected, including a phone number people could call for further information about the breach and instructions for how to sign up for the free identity theft protection services being offered. 3 The company reinforced its response by dedicating a portion of its website to the breach, providing information and an extensive Q&A section to help Case Study 3.1 victims understand what happened and how they could get help. Reaction This company was highly scrutinized by the media as a result of the breach, especially because it took nine weeks to alert the employees affected. After the breach, data security experts questioned whether the company had taken adequate precautions to prevent breaches related to the use of laptops, saying that encryption devices and other security measures could have prevented the loss of data. The breach spurred an investigation, and a subsequent civil lawsuit by the Connecticut Attorney General, where at least 300 victims of the breach resided. Lessons Learned State laws can complicate the response. Creating a response that is compliant with the laws of each state where the victims live can be a big challenge. Offer help in the notification letter. Relevant phone numbers, websites and information on the remedies offered and precautions to take are valuable and reassuring to those individuals affected. Post information on website. Consumers, employees, investors and the media look to the Internet for information, so it is important for all pertinent information to be available on the company website.ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 15
Case Study 3.2: Large Grocery Chain Background On Feb. 27, 2008, a large grocery store chain became aware that it had been exposing customer data for several months, via malware installed on 300 of its computers. It was determined that 4.2 million unique credit and debit card numbers with expiration dates were compromised during the store’s authorization process. The breach occurred despite the fact that the grocery store received PCI certification in 2007, underwent periodic vulnerability scans, and was re-certified in 2008. There were approximately 1,800 cases of reported credit and debit card fraud stemming from the breach in the months that followed. Notification On March 17, 2008, the company notified customers of the breach via a letter on its website from the CEO, who stated: “No personal information, such as names or addresses, was accessed.” The media speculated that the company was lying about how much information was exposed, deducing that of the 1,800 victims who reportedCase Study 3.2 fraud stemming from this breach, those must have been names associated with the stolen credit card numbers and expiration dates. Reaction Days after the CEO’s note was posted, the company found itself defending a class-action lawsuit, filed on behalf of customers whose credit or data was stolen.3 The suit maintained that because of the company’s inadequate data security, its customers had their personal financial information compromised, were exposed to the risk of fraud, have incurred and will continue to incur time to monitor their accounts and dispute fraudulent charges, and have otherwise suffered damages. Lessons Learned “Compliance” does not mean “security.” Prepare for the worst. Although PCI compliance is considered extremely safe, it is not a shield against data breach. Even when technical standards are met, it is important for every company to prepare for a potential breach. Use a multichannel approach to reach affected parties. When responding to a breach, it is important to contact as many affected customers as possible. This company did not send notification letters via mail, and opted instead to post a statement to its website. Only customers who visited the site were notified directly of the breach. State the facts. The CEO’s statements were called into question by the media and the public as 1,800 cases of identity theft were reportedly linked to the data exposure.16 Their information | Your reputation | Our experience.
Communication The nature of crisis communication Data breaches, because they pose a significant threat to the business, financial, operational and “reputational” health of a company, are considered crisis events. Crisis events occur within all organizations and, depending on how they are handled, can either reinforce a positive reputation or irreparably damage a brand. That is because a crisis focuses the attention of customers, partners, employees, investors and the general public on an organization, and cause every action to be closely observed, with each action taking on far greater significance. In other words, the stakes are high, and the world is watching. Beyond any legal concerns that the company must consider in the event of aICR is a strategic communications breach, the purpose of communication is to protect the brand and reinforceand investor relations firm with acrisis communications practice customer relationships.devoted to helping companiesminimize reputational damage from Clear, controlled communication of what happened, when it occurred, whocrisis situations. The firm has guidedseveral large institutions through was affected and what is being done to rectify the situation is important for 4data breach crises by helping them navigating a breach crisis and minimizing brand damage.to define, develop and deliver thecommunications that meet the Communicationneeds of clients, partners, Time is of the essenceinvestors and the media. The most valuable commodity in a crisis situation is time. As soon as theThe guidelines and case studies breach is discovered, it is important to gather information and quicklyhere provide some information on determine the appropriate action steps. Although there is some danger inhow to react in the event of a databreach. If your company needs overreacting to a given situation or prematurely sounding an alarm, the vastadditional crisis communication majority of mistakes are made in assuming something is not a problem orsupport, please visit www.icrinc.comor call (203) 682-8218. that it will just “go away.” A data breach will not go away if it is ignored, and the outcomes always get worse over time. Breach communication principles In response to a breach, it is important to incorporate the following core principles in all internal and external communication: 1) Honesty – Always the best policy, and never more important than in a data breach situation where trust and corporate credibility may already be strained. Being forthright and open with information will win points and actually give management more room to operate. 2) Speed – Success or failure in handling a breach is often a function of time. It is critical to move quickly and make the best decisions possible. Having a breach plan in place greatly facilitates quick decision making. 3) Control – Update stakeholders with the latest information, as you get it. Anticipate questions and be there first with information and answers. 4) Facts – Nothing is more important than ensuring the most accurate portrayal of events possible. In all cases, correct the record where necessary and do not allow unsubstantiated or erroneous information to go unchallenged. Do not speculate, always deal with the facts and never guess. ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 17
Communication (cont.) Breach communication goals The goal in responding to a data breach is to act and behave at every point during the process in a way that is consistent with the company’s values and culture, and at all times place the highest priority on the safety and satisfaction of customers, employees, partners and other stakeholders. All communications should be designed to best achieve the following: Internal Communication: • To ensure accurate, consistent and timely communication • To eliminate or minimize confusion and rumors • To provide guidance and channels for sound internal decision making External Communication: • To maintain the trust, confidence and respect of customers, employees, shareholders, analysts, business partners, public officials and the community • To maintain credible and productive relations with the media • To minimize the impact on the company’s brand equity,Communication operations and sales Media communications During the course of the breach, and its disclosure, the company may get requests from the media for interviews. It is absolutely essential that communication with the media be highly measured and controlled.4 Discussion should focus on the facts of the breach, and what is being done proactively by the company to control the situation and protect those affected. If possible the company should always offer a comment, even if it is limited in substance or information. “No comment” should be avoided and every effort should be made to avoid “the company was unavailable for comment.” Communication should also be tightly controlled. Only an authorized spokesperson should respond to media requests and the number of executives allowed to comment to the media should be limited. In order to underscore how serious the company considers the breach, it is best if a senior executive is designated as the spokesperson.18 Their information | Your reputation | Our experience.
Communication (cont.) General media communication guidelines The following five steps provide a helpful framework for response to the media. Every communication should seek to include these elements. Five steps to prevent F.E.A.A.R 1) Facts – Communicate what you know and don’t know. Correct inaccuracies. Never speculate. 2) Empathy – Always express concern for affected parties. Be human. 3) A ccountability – Demonstrate that you will do everything to assist (even if it’s not your fault!). 4) A ction – Be explicit about what you are doing. 5) Remediation – Apologize. Fix what is broken and ensure it won’t happen again. Discuss plans to prevent similar incidents from occurring in the future. Answers may not be available for all questions pertaining to the 4 breach. When information is unavailable or inappropriate for public dissemination, the company should state that it is working to gather Communication relevant information and will make it available as soon as possible. Case Studies Over the past few years, data breach incidents have greatly increased. And because the number of identity theft victims has also increased, data breaches continue to capture more attention from the mainstream media and the public at large. In creating a Data Breach Response Plan, it is important to look at how other companies have responded, and what outcomes resulted from their actions. There are unique lessons that can be learned from each response. The case studies in this book provide an overview of different types of companies and how they responded to different types of breaches. While the specific actions each company took were different, there are two lessons that applied in every situation: • Timing is Critical: In almost all of the cases below, the companies involved were slow to alert customers to the breach, which led to panic among customers and negative perceptions from the media and the public. Keep in mind that promptly alerting customers and the media demonstrates a proactive interest in keeping customers safe and in finding a solution to the situation. • Develop a Plan in Advance: No matter what unique circumstances a breach presents, companies with a Data Breach Response Plan in place are able to react more quickly and professionally. Being prepared is the key to a successful response.ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 19
Case Study 4.1: The Largest Data Breach in History Background This data hack went undetected for five years, involved several national retailers, and exposed the credit card data of 41 million people. The method used to access the data was not particularly sophisticated. The thieves were “wardriving” or driving around in a car testing Wireless local area networks (WLANs) and exploiting security holes to gain access to customer data, including credit card numbers, expiration dates and security codes. Notification Without the proper tracking systems in place, it was exceedingly difficult to establish how long the fraud had been occurring or how many customers were affected. The retailer then came under heavy criticism for what many considered a slow and sloppy response. The company was also criticized for not disclosing the breach until a month after it was first discovered. The company was eventually forced to offer credit monitoring to a small subset of affected customers, as a result of a lawsuit settlement. It also held a special sale for its victimized customers and gave them a $30 voucher to be used in its retail locations, provided that the customers provided writtenCase Study 4.1 documentation of the time or money lost as result of the incident. Reaction A few months following the disclosure, the company received 11 subpoenas from different state attorneys general. There were many lawsuits filed against the company in federal and state courts, brought forth from banks, credit card issuers, state government officials and groups of affected North4 American customers. The company suffered more than $200 million in losses related to the theft. The negative publicity surrounding this incident continues, years after the breach was discovered, and almost nine years after the breach first began. Lessons Learned Investigate the breach. The company’s lack of an appropriate data tracking system led to consumer confusion and speculation, which resulted in fear. Offer the solution to all customers. The company was criticized for offering credit monitoring to only a small subset of affected customers, and for the fact that the monitoring was only offered as a result of a lawsuit settlement. The remedy should fit the offense. Consider that victims who spent time and money trying to reclaim their stolen identities and recoup their losses may see a token (such as a $30 coupon) as an insult. Provide updates. Demonstrate a concern for customers and a concern about the outcome of the case by providing customers and media with needed periodic updates of new findings and case status.20 Their information | Your reputation | Our experience.
Case Study 4.2: Federal Government Agency Background On May 22, 2006, a large federal government agency announced that 26.5 million Social Security numbers were compromised as the result of a stolen laptop that contained unencrypted personally identifiable information. It was later revealed that the incident had actually occurred on May 3, 2006, but that the agency’s top official was not notified until May 16, 2006. This delayed notification of the FBI until two weeks after the burglary. Less than a month later, the agency warned that an additional 2.2 million citizens also had their data compromised, for a total of 28.7 million breached records. Notification On Aug. 10, 2006, the agency mailed notification letters to the individuals whose information was found on the missing computer, which was recovered by the FBI. The House Government Reform Committee also held a hearing to discuss 4 the incident and the Government Accountability Office (GAO) issued a report the following year. Case Study 4.2 To support the potential victims, the agency devoted the home page of its website to notifying affected citizens. It posted an extensive Q&A section on the site which provided information about how the breach occurred, what steps people could take to monitor their personal information and who to contact if they suspected fraud. The agency also created a hotline staffed by call center employees to answer questions. Reaction There was a significant amount of media coverage when the incident was announced. The media stories emphasized that the agency had waited two weeks to disclose the incident, putting the citizens whose data had been exposed at risk and denying them the opportunity to protect themselves. As a result of the incident, at least three class-action lawsuits have been filed against the agency and its secretary. Lessons Learned It can happen to you. Each year data breaches become more common. Be prepared, and have contracts in place. It is important to develop a breach response plan, and an internal process for rapid response. This can help companies react to a breach more quickly. Promote a culture of awareness and reporting. In order for companies to detect and react to a breach, each person in the organization must know what to look for and who to tell, so top executives can then put a plan in place. Educate all staff. It is important to circulate information on data breaches to employees, and make sure everyone knows what to look for, and how they should react to a potential breach.ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 21
Case Study 4.3: Financial Institution Background In 2008, a major financial institution’s backup data storage tapes (containing customer data that included Social Security numbers and bank account information) went missing – twice. During the first incident, the unencrypted tapes were lost while in transit to a storage facility by the company’s courier. The second incident occurred again while unencrypted data storage tapes were being moved by a commercial carrier. Notification The company was criticized for not disclosing the loss of customer data in a timely manner. While the first incident occurred on Feb. 27, 2008, it appears that the financial institution did not notify its affected partner institution that it had lost the data until May 2008. The partner financial institution then informed the Connecticut attorney general, who made a public announcement about the incident and called for an investigation. The attorney general and the media were highly critical of the financial institution and questioned the long delay in notification. The financial institution sent letters to all of the affected customers, an ongoing process that took several months, as the institution uncovered an additional fourCase Study 4.3 million affected customers. Reaction Because of the delay in notification and because the company did not actually announce the loss of customer data, the media and public reaction was highly negative. The company’s initial response to the incident was an offer for one year of credit monitoring for the affected customers. However,4 as a result of the attorney general’s investigation, it later extended that offer to include two years of monitoring, increased the amount of identity theft insurance coverage from $10,000 to $25,000 and said that it would reimburse for the cost for placing a security freeze on a credit file. Lessons Learned Take control of the disclosure. Allowing an outside entity to announce a breach – in this case, the Connecticut Attorney General – puts your company on the defensive, battling legal forces and negative public perception. Disclosing as soon as possible helps mitigate the inevitably negative reaction. Indicate empathy for those affected. Customers see the bank as a trustworthy entity – and after a breach, they may feel a tremendous lack of that trust and confidence. Ensuring that customer-centric messaging is included in the disclosure of a breach helps shape a perception among customers that the company has their best interest in mind. Post the customer letter on your website. However, even though the number of affected customers may number in the millions, timely notification of customers through a mailing is still important.22 Their information | Your reputation | Our experience.
Solutions Notification Affinion Group recommends using Affinion Security Center to handle all aspects of notification to the impacted population. At a very cost-effective rate, given our unique experience and scale, not only can we draft the notification letter, we will consult on PR strategy and ensure that the impacted population is contacted quickly and efficiently. Enrollment We provide the greatest number of options available in the industry to ensure that your customers can enroll quickly, easily and via the means most convenient. We offer the following enrollment options: Full File Enrollment allows your company to quickly protect all impacted members. The partner will supply a full file of names via a secure method to Affinion for enrollment. Voice Response Unit (VRU) allows customers to enroll via telephone by simply entering the unique encrypted activation code provided in the 5 notification letter. Online allows customers to enroll via a dedicated URL by simply entering Solutions the unique encrypted activation code provided in the notification letter. USPS enrollment allows customers to enroll by filling out an enrollment form and returning it via USPS. Protection Benefits To help keep the customer’s identity safe, Affinion’s data breach products offer comprehensive identity theft protection including: credit monitoring, the credit information hotline, credit reports and the credit card registry service, ID theft insurance, dedicated fraud resolution specialists, automated fraud alerts, and Internet monitoring. Affinion’s specialists will help your company choose the best options based on the severity of the breach and the type of data lost. Resolution As part of your company’s BreachShield solution, all customers enrolled in credit monitoring will have access to Affinion’s Identity Fraud Support Services (IFSS). Our Identity Fraud Support includes all aspects of helping our members resolve identity fraud or theft. Members will receive the following: • A dedicated FCRA-certified caseworker who will provide direct contact information to the member and follow the case through to resolution • Victims of identity fraud will receive a six-month complimentary term extension of the PrivacyGuard credit monitoring service ensuring continued protection during resolution • Advice on placing fraud alerts at each of the three major credit bureaus • Assistance requesting a current credit report from the three credit bureaus • Analysis of areas that could be impacted by the fraud • In certain instances, the resolution specialist will assist members by attending conference calls and drafting letters and formsASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 23
Solutions (cont.) • Information on contacting law enforcement officials and the FBI • Assistance with any travel arrangements necessary for fraud resolution • Victims receive a personalized Fraud Resolution Kit via overnight mail which includes: – Educational information and resource contact information for relevant government agencies and ﬁnancial institutions – Personalized dispute letters to send to credit bureaus and ﬁnancial institutions as well as extra copies for reference – Instructions on how to ﬁle a police report, request a personal Social Security statement, and a worksheet for victims to track activities and time spent resolving identity fraud issues Credit Monitoring and Alerts This service monitors changes to an individual’s credit records with one of the national credit reporting agencies (credit bureaus). Members will be notified of any changes to their records, including any new accounts opened or a change in credit score. Internet Fraud Monitoring A sophisticated, real-time, early warning technology monitors variousSolutions underground chat rooms where thieves sell and trade stolen information. Members are notified via e-mail if their personal information is discovered as compromised – often before the financial institution is notified.5 Automated Fraud Alerts When an application for credit is made in the member’s name, either by the member or somone else, the member receives a confirmation phone call allowing them to approve or deny the new credit request. Triple-Bureau Credit Reports & Scores Members receive current credit reports and credit scores from all three major credit reporting agencies, including a comprehensive credit analysis. Identity Theft Insurance ID Theft coverage is available at various levels. Credit Information Hotline Members can call the Credit Information Hotline toll free to speak to an FCRA-trained representative. These highly trained representatives walk members through their credit reports and answer questions about credit records or alerts received. Credit Card Registry Service (Lost/Stolen Service) This service gives members the chance to centralize and store information from credit, bank, department store and oil company cards in a single, secure location. Should these items ever get lost or be stolen, members can cancel these cards and request replacements – all with one toll-free phone call.24 Their information | Your reputation | Our experience.
Breach Recovery: Sample Press Release [Company Name] Victimized by [Data Breach/Computer Intrusion] Provides Helpful Information to Protect Customers City, State– [Company Name] announced today that it suffered [Describe Breach Incident: an unauthorized intrusion into its computer systems; loss of data from a stolen computer] which contained information related to customer transactions. [Describe the number of customers affected: Company is launching a full investigation to determine the full extent of the theft and number of affected customers; Company believes that XX customers may have had their personal information compromised]. [Give more details on which systems, brands and locations were affected] The data breach involved [Company’s] payment processing system that handles credit card, debit card and check transactions for its [stores/customers] throughout [the United States, Europe, Texas]. Company immediately alerted law enforcement authorities of the crime and is working closely with them to help identify those responsible. Company is also cooperating with credit and debit card issuers and providing them with information about the incident. Company [is launching/has launched] a full investigation of the breach with the assistance of leading computer security and data analysis firms to determine what customer information may have been compromised. [Company] expects 6 to provide its customers with more information as it becomes available. Since the intrusion, [Company] has taken steps to secure its computer network and Reference Materials Breach Recovery: systems to prevent this type of incident from occurring in the future. “We are extremely concerned about this event and the difficulties it may cause our customers. Since discovering this crime, we have implemented the highest security measures to ensure the safety of our customers, and will work with them to help restore any compromised information. Our customers remain the first priority for [Company], and we will continue to inform them as we uncover additional details about the incident,” says [Name, CEO of Company] Information For Customers [Outline actions customers can take and resources available] To help protect its customers, [Company] has notified the three major credit bureaus in the U.S. of this incident, as well as the attorneys general in the affected states. [Company] has also retained [Identity Theft Protection Company], a specialist in identity theft protection, to provide customers with [X] years of identity theft protection and restoration services, free of charge. Customers who have questions about the incident or who wish to enroll in the identity theft protection program can do so by calling [Company’s] dedicated helpline toll free at: XXX-XXXX in the United States and (XXX) XXX-XXXX in Canada or by visiting [Company’s website address].ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 25
Breach Recovery: Sample Letter to Employees [Date] Dear Customer/Employee: We are writing to let you know that we have become aware of a data privacy breach affecting an estimated XX [customers, colleagues, individuals]. It appears that the breach developed when [briefly state how the beach occurred]. [Company] has been working with outside consultants to review the exposed data quickly and thoroughly. At this point our review is not complete, but we believe that some of the following information may have been exposed: your name; Social Security number and/or Taxpayer Identification number; home address; home and/or cellular phone number(s); fax number; e-mail address; credit card number; bank account number; passport number; driver’s license number; military identification number; birth date and signature. So far there is no indication that any unauthorized person has used or is misusing the information that was [stolen, accessed, compromised]. Nonetheless, we want you to know now, and to have tools and information to help you prevent and detect any misuse. [Company] has notified law enforcement and, to help protect you, has retained [Identity Theft Protection Company], a specialist in identity theft protection, to provide you with [X]Reference MaterialsBreach Recovery: years of protection and restoration services, free of charge. You can enroll in the program by following the directions below. Please keep this letter; you will need the personal access code it contains in order to register for services. The [Identity Theft Protection service] package that [Company] has arranged provides these protections for you: • Credit Monitoring: unlimited access to your credit report and score and will notify you via email of key changes in your credit report that may indicate6 fraudulent activity. • Fraud Resolution Representatives: Expert guidance if you suspect that your personal information is being misused. • Insurance Reimbursement: [$XX] of Identity Theft insurance [describe details] [Company] has advised the three major U.S. credit bureaus about this incident. We gave a general report, alerting them to the fact that the incident occurred; [Company] has not notified them about the presence of your specific information in the removed data. [Company] has also notified the attorney general’s office in your state of residence about this incident, as well as other officials where required by law.26 Their information | Your reputation | Our experience.
Breach Recovery: Sample Letter to Employees (cont.) Additional Ways to Help Protect Yourself Besides registering for the free protection services that [Company] has arranged, there are other things that you can do to help protect yourself from fraud or identity theft. We advise you to remain vigilant against the possibility of fraud and/or identity theft by monitoring your account statements and credit reports for unusual activity. When you receive your credit reports, review them carefully. If you see anything you do not understand, call the credit reporting agency. If you do find suspicious activity on your credit reports, call your local police or sheriff ’s office and file a police report of identity theft. Make sure to obtain a copy of the police report because you may need to provide the report to creditors to clear your record. You also should file a complaint with the Federal Trade Commission (FTC) at www.ftc.gov/idtheft or at 1-877-ID-THEFT (1-877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. Even if you do not find suspicious activity on your initial credit reports, the FTC suggests that you keep checking your credit reports periodically. Identity thieves 6 sometimes hold on to personal information for a period of time before using it. Checking your credit reports periodically can help you spot potential problems Reference Materials Breach Recovery: and address them quickly. We encourage you to consider all options to help protect your privacy and security, and in particular, we encourage you to take advantage of the credit protection services we have arranged for you with [Identity Theft Protection Company], at no charge to you. How to Sign Up for the Identity Theft Protection Services You may sign up for the protection services free of charge, either by calling a special toll free number [1-800-XXX-XXXX]. You may also enroll online by visiting [website]. To sign up, just enter the access code provided below and disregard any pricing information. Your Access Code: [insert access code] We encourage you to enroll and activate your credit monitoring quickly. Please note that the deadline for enrolling in this service is XXX. [Company] takes your privacy very seriously and will continue to monitor this situation. We have modified the computer system where this information was stored and enhanced security for other computer systems as well. Should there be any significant developments, we will notify you. If you have questions or wish to request more information from [Company], please send us an email at [email address] or call us at [phone number]. [Company] understands how important it is to maintain the security and confidentiality of personal information. Again, we regret any inconvenience that may result from this incident and encourage you to take full advantage of all resources to help protect your personal information. Sincerely, [CEO or Privacy Officer]ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 27
Breach Recovery: Sample Letter to Customers Dear [Name]: We are writing to inform you about possible fraudulent activity involving your personal information. We take these matters very seriously and this incident is being investigated. As a result of unauthorized access to our computer system, information such as your name, address, telephone number, Social Security number, card account number, and PIN may have been accessed by unauthorized parties. You will not be responsible for unauthorized fraudulent activity resulting from this situation. We are working with law enforcement authorities to investigate the situation, and to ensure that this does not happen again. At this point, our investigation is still ongoing, however we would like to make sure that your personal information is protected. What we are doing to protect your personal information: We are offering you a complimentary one-year membership in PrivacyGuard®. PrivacyGuard is a national subscription credit monitoring service that provides you with access to your credit reports and daily monitoring of your credit files from all three national consumer reporting agencies. To take advantage of this service, you must sign up by [date].Reference Materials You may enroll for your free one-year membership in PrivacyGuard® in one ofBreach Recovery: three ways: 1) Sign up online at [Insert URL] and enter the requested information. 2) Sign up by telephone using the automated system by dialing 1-800-XXX-XXXX. 3) To sign up via postal mail, please complete, sign and mail the enclosed enrollment form. What you can do to protect your information: Attached to this letter is a list of steps you can take to help prevent identity theft.6 If we can assist you further, please call our toll-free number at 1-800-XXX-XXXX from 8 a.m. EST to 8 p.m. EST, Monday through Saturday. You may also visit [company website] for more information. Sincerely, [Name] Chief Operating Officer28 Their information | Your reputation | Our experience.
Breach Recovery: Resources Security Industry Experts Affinion Security Center | BreachShield www.affinionsecuritycenter.com www.breachshield.com Public Relations, Investor Relations & Crisis Communications ICR, Inc. www.icrinc.com Federal Trade Commission www.ftc.gov/bcp/edu/microsites/idtheft Consumer Protection Groups Identity Theft Resource Center www.idtheftcenter.org 7 ResourcesASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 29