Mending Fences After a
Breach
IAPP Global Privacy Summit, 3/8/12
1
Joanne McNabb, CIPP/US/G/IT
Chief
California Office of Privacy Protection
Lisa Sotto
Partner & Head, Privacy & Information
Management Practice
Hunton & Williams
Susan Grant
Director of Consumer Protection
Consumer Federation of America
2
Session Outline
•
•
•
•
•
Cost of a Data Breach
Bad Communications
Better Communications
Making Amends
Communications & Litigation
3
Sony Data Breach Exposes
Users to Years of Identity-Theft
Risk
SecurID Company Suffers a Breach
of Data Security
Entrust Survey Reveals RSA Data Breach
Undermines Confidence in Hard Token
Authentication
Congress Probes TRICARE Breach
Bipartisan Effort to Learn More About Massive
Incident
4
Breach Cost by Activity
Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach
5
Lost Trust = Lost Customers
Some industries suffer
more than others.
Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach
6
Breach Impact on Reputation
Ponemon, Reputation Impact of a Data Breach, November 2011
7
8
Notification Timing Issues
• Not too soon, not too late.
• Consider delivery date.
• Avoid multiple flights of notices.
9
Notice Issues
• A legal notice? A communications piece? A
marketing tool?
• Tone
– What NOT to say
– Who’s it from?
– Addressed to whom?
10
EXAMPLE OF A
NOT GREAT
NOTICE
• User name
• Email
• ENCRYPTED
billing address
• ENCRYPTED
credit card info
Why??
Huh?
11
12
BEFORE
351 Words, 12th Grade
AFTER
224Words, 8th Grade
13
14
15
16
Good Communications Strategies
•
•
•
•
•
Outside communications firms
Internal folks to train
Employee communications
Regulator communications
Media
17
Making amends
18
Tips for Yom Kippur
• Accept that you screwed up.
• Express sincere remorse for your actions.
• The other person may not be able to accept
your apology.
• Where possible take action to restore what
was lost.
• Reflect on what you’ve learned.
From Twin Cities Hub for Jewish Stuff
19
Choosing a Make-Good Product
• Should you provide an identity theft service?
• If no, what else could you do to help your
customers?
• If yes, what type of service would best fit your
customers’ needs under the circumstances?
• What should you look for and what should
you avoid when choosing a service?
20
21
Communications Before & During
Litigation
• A contrite word may forestall litigation
• Before litigation, don’t think like a litigator
• If you offer a gift card to one unhappy
customer, be prepared to offer one to all in
settlement of an action
• If litigation is inevitable, vet all
communications through the legal team
22
References & Resources
• California Office of Privacy Protection,
Recommended Practices on Notice of Security
Breach (1/12), www.privacy.ca.gov/business
• Consumer Federation of America, Shopping
for ID Theft Services, at www.idtheftinfo.org
• Plain language resources
– www.plainlanguage.gov
– www.transcend.net/library/tools.html
23
What to Do Next Week
• Review “Shopping for ID Theft Services” and
select product(s) for future use.
• Review your breach notice templates. Share
plain language resources with your
communications people .
24