When Breach Planning FailsBad Plans, Slow Response Can Add to Damages
Bruemmer, Experian Data Breach Resolution VP, says proper breach preparedness sends a clear message that an organization is taking proactive steps to protect its sensitive information. "Customers as well as the employees of your company really want to know that they work for or do business with someone who's going to protect personal information," he says in an interview with Information Security Media Group's Tom Field [transcript below].
Too often, Bruemmer says, he sees organizations that go to the effort of creating a breach response plan - but then they fail to actually test it. "That is as if you have a fire evacuation plan, but you don't actually execute the drill to make sure the people get out of the building," he says.
To prepare properly for a breach, organizations should:
- Select an Individual to Lead the Charge. "Pick that right individual that has enough knowledge of the company and an overview of the importance of the personal identity information that needs to be protected," Bruemmer says.
- Conduct an Audit of All Subcontractors. So many breaches today occur at third-party service providers. Organizations, then, should ask their key vendors about their own data breach response plans, as well as how big of a priority it is to protect the data they're handling. It's also important to have a formalized agreement of the vendors' breach plans and that they practice it, he says.
- Involve the Right Departments. Privacy, public relations, customer service and information security departments all need to be involved in breach planning. Outside professionals, such as legal and law enforcement, should also be included in the preparation process.
- Complete a Yearly Breach Drill. "The ones that actually practice it and have seen some of the hitches that go on, when they've actually experienced a real breach they've done much better in responding more quickly, satisfying the regulators, minimizing the cost and protecting brand reputation," Bruemmer says.
In an exclusive interview about breach planning and response, Bruemmer discusses:
- How organizations frequently get response wrong;
- Best practices for breach preparation;
- Skills organizations need to ensure fast, effective preparation and response.
Bruemmer is vice president, Experian Data Breach Resolution at Experian Consumer Services, a provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information and protection products. In this role, he is responsible for business operations and development. He has more than 25 years of experience in the industry. Bruemmer formerly served as the business development director of consumer products at ID Analytics.
TOM FIELD: To start out, give us a little bit of context, please, and talk a little bit about yourself and your role with Experian.
MICHAEL BRUEMMER: I've been in the industry for about 25 years. I started out in consumer products with PepsiCo and General Foods. I switched over to technology and worked for both Dell and Lenovo on the hardware side. And the last five or so years I spent in the fraud space with CSID, EasyShield, ID Analytics and most recently Experian. I come into this data breach field with a lot of background both from a customer standpoint, and many of the customers that we do service in this field are actually customers I used to do business with before, as well as have the most recent exposure to identity theft and fraud.
FIELD: Let's talk first about breach preparation. I'm going to be devil's advocate here for a minute. If I'm preparing for a breach, aren't I admitting up-front that my organization lacks the proper security?
BRUEMMER: I would say no; actually, on the contrary, you're sending a message that security's a high priority if you do breach preparation. Customers as well as the employees of your company really want to know that they work for or they do business with someone who's going to take proactive steps to protect personal information and they're thinking about it in their overall strategic direction. The other thing I'd say and the last point I would make is although I'm not an attorney, many states and the federal government actually require a data breach plan to be put in place up-front as part of the overall compliance process.
FIELD: Now of course you and I both know these things, but I wanted to play with you a little bit there. And I'm going to play with you now with what I know is one of your pet topics, and that is, what are some of the ways that organizations continue to do breach preparation the wrong way?
BRUEMMER: I can tell you from my experience - and we service a wide range of businesses in the data breach field - the most frequently mentioned issues from companies that have either suffered a data breach or they've been involved in a data breach preparation plan is first of all just not taking the time to put a plan in place. That starts with actually designating someone who can lead a team and get the right internal and external folks involved to develop that plan.
Secondly, practice makes perfect. Many companies that go as far as making up a plan fall short when they don't actually practice a plan. And a real live example for that is as if you have a fire evacuation plan but you don't actually execute the drill to make sure the people get out of the building. Then the plan you put in place isn't very good and that applies to data breach.
Then finally, any of your subcontractors need to have that same sense of awareness about data breach and putting a plan in place, and again, although I'm not an attorney or a compliance officer, there are fields like healthcare where it's required with your business associate agreement if you're servicing a data breach that all the subcontractors have to have that plan in place like the parent or the primary company [does]. Those are probably the biggest ways or areas where customers or organizations get it wrong.
Getting Breach Preparation Right
FIELD: Let's turn that around now. What are some ways that organizations can get breach preparation right from the get-go?
BRUEMMER: When I say planning, it's making sure you do pick that right individual that has enough knowledge of the company and an overview of the importance of the personal identity information that needs to be protected and most likely will have some sort of security or privacy background. They have to be a good networker and they have to understand how to get those right internal departments together as well as in key areas like legal, forensics or what Experian does - the data breach resolution. They have to get those resources in place up-front. We recommend to all of our business customers to do a live breach drill every year. And the ones that actually practice it and have seen some of the hitches that go on - which they're always going to come up - when they've actually experienced a real breach they've done much better in responding more quickly, satisfying the regulators, minimizing the cost and protecting brand reputation.
[Do] an audit of all your subcontractors. Actually ask them about the data breach response plan that they have, how big of a priority is protecting the data that they're handling for your company and make sure that you do have not only the plan but that they practice it [and] you have formalized it in some sort of an agreement to hold them accountable.
One last point, the right departments that need to be involved in setting up that response plan are people from privacy, PR, customer service, infosec and the like. Those outside professionals, even though you have your own internal legal team, there are people from the legal field outside that deal with data breaches and response plans and they can shorten the time frames for making the plan as well as make it more effective. As well as the forensics folks; for the same reason they see it all the time and most companies don't have a full-time forensics organization when it comes to some of the complex issues that may have caused a breach.
FIELD: Let's talk about breach response now. We've seen far too many organizations suffer breaches in the past 16-18 months. What are some ways that organizations can get response right?
BRUEMMER: In terms of response, you need to have, first of all, a sense of urgency in that companies need to understand that with their customers, sales, their trust and confidence the customers have placed on them, their brand reputation, let alone the corporate PNL, could potentially all be at risk if a customer doesn't respond to a data breach. The response has got to be quick and when there's lots of pressure you want to go back to the plan that was created when you weren't under the pressure of "hair on fire" and we've had a data breach. The other thing that I would say is make sure and don't be afraid in the response plan to incorporate informing the authorities seeking outside enforcement advice because law enforcement officials now are [increasingly] well-versed than they ever have been with the number of data breaches that have been happening and they can also help you [by] providing resources.
FIELD: As you outlined, a breach is damaging to an organization. There can be lost business, there's the cost of the breach, brand reputation losses, potential regulatory penalties. Given all of the damage of a breach, what's the reward to an organization for responding correctly to this kind of damage?
BRUEMMER: As you said, brand reputation can be easily damaged with a poor response to a data breach, whether it be the incorrect response or a slow response. Customers lose trust and confidence in the company they're doing business with, particularly one they have entrusted to take good care of their personal identity information, whether it's a Social Security number, a name, an address, credit card or financial data. They want people to take care of that data that they're using to transact business with. Then finally, the overall financial impact to a company on a data breach can be minimized if the response is done well and the company, the employees and the shareholders all benefit from that correct response.
FIELD: Do you believe that we've seen examples in some of the public incidents we've seen where organizations have actually saved their brand reputation by their rapid breach response?
BRUEMMER: Yes, I'll give you one example. The example I'll bring up happened in January of this year. I want to point out this was not a customer that we service with our data breach response tools, but Zappos, the online retailer, lost 24 million usernames and passwords for their customers. Again, where they weren't a customer of Experian Data Breach Resolution, based on the industry reports, they had a plan in place before the breach. Immediately after discovering the breach in the first 24 hours, they mobilized their whole company around the response like shutting down the ordering system and putting all their customer service agents on the phone to answer calls first and foremost about the breach. They sought outside counsel from a forensics standpoint and legal advice to make sure they were not only following the law but they want to put their customers' perceptions and concerns first by their swift action. And I think, at least from my vantage point after six months, Zappos is still thriving and they maintain a very loyal customer following and I would argue that if they had not responded so well to that data breach back in January, it might be an entirely different outcome.
FIELD: I want to talk about skills for a minute. We already deal with organizations that are having a hard time filling the positions that they have in information security and risk management. When it comes to breach preparation and response, what do you find to be the key skills that organizations most need now?
BRUEMMER: I'd like to separate those skills into what I would call individual skills and then overall business skills. Let me start with individuals. If I could pick the top three I would say teamwork because you have different departments coming together all with an important stake in the plan and the response. Second, good listening skills; as a breach unfolds there's lots of information that comes out on an hourly and daily basis, and sometimes it's contradictory. Sometimes it requires a lot of quick on-your-feet thinking, but listening and understanding as a participant in the team, let alone someone involved in the company, is important. Then finally, patience, and the reason for patience is that where I see companies make a mistake early in the process is they want to get out and announce to their customers very quickly they've had a breach, but they haven't let the forensics due-diligence be done, whether it's done inside or outside the company and they really don't have a handle on what happened and why it happened, even though they think they've shut down the issue or they've quantified that it's a lost laptop.
Shifting over to those business skills, I think the corporation has to be good at strategic thinking. What I mean by that is that they have the ability to prioritize of strategic importance the fact that they need a plan in place and how do they respond. Second, organizational agility, the company needs to be able to react quickly, work collaboratively amongst departments to be able to get stuff done. Finally, whether you're the head of the data breach response plan or you're executing it as one of the departments involved in that response plan, you've got to have good program management. You've got to track all the details of the response. You've got to keep many people involved and good communication skills is part of that program management, and you've got to make sure that the execution for the people that have a response component that they actually get it done and it's followed up on.
FIELD: Let's talk a little bit about your own organization. What are some of the ways that Experian is helping organizations prepare and respond to breaches?
BRUEMMER: We work with all types of organizations, whether it's government, non-profits, healthcare, financial, retail, colleges, universities, just to name a few. We're always looking out for getting a plan in place, and so we say the first component is find a point person that's going to lead developing that plan and then get those department heads in place. Privacy, security, IT, customer service, sales, and, yes, the sales organization always needs to be involved in that data breach response plan. The executive management, HR and compliance would round out the team. We encourage the plan to be built and viewed by outside people as well and, depending on the industry sector, you're going to involve legal and compliance folks up-front and their recommendations need to be built into that plan.
Again, we always encourage people to use outside legal, compliance and forensics counsel, along with what we do at Experian to assist in building that plan, practicing it and making sure it's current regardless of when it was developed. If we can accomplish those things, generally people that have developed a plan up-front and taken the advice from numerous folks are in a much better position not only to respond to a breach but also to minimize the consumer destruction in sales, to maintain consumers' trust and confidence and minimize the overall financial impact of the PNL.
FIELD: If you had to boil it down, what would you say's the most important thing that organizations can do to prepare for or respond to a data breach?
BRUEMMER: In one word, plan. And if I had a second thing it would be having that data breach response plan and then practice it at least once a year.