How to Report a Security Incident to External Stakeholders
The external stakeholders of the business or corporation are primarily your customers, and even the suppliers and distributors that you currently work with. But, it is the customer that drives revenue into your business, and if their confidential information or data (these include mostly credit card numbers, social security numbers, passwords, PIN numbers, etc.) has been compromised by a Cyber-attack, not only do you have a moral obligation to notify them as to what happened, but you also have a legal one as well.
This has been brought under the legislation known as the Data Security Breach Notification Act of 2015. This clearly states that an organization must take all precautions to protect customer data, and to inform them in a timely manner after a Security breach has taken place.
It also requires for entities to provide such notifications to all law enforcement and investigative branches at the federal, state and local levels. If this is not done, a business or a corporation could face very harsh financial penalties and fines, and even criminal ones as well.
But, reporting a Security breach to your external stakeholders requires a different approach than reporting to your internal stakeholders. This is primarily driven by the fact that the latter will be a much smaller group of people, versus the former, which will obviously be much larger.
Calling customers individually and notifying them as to what happened adds a “personal touch” in the communications process. Of course, this option is only feasible if you are a smaller business entity with a smaller customer base.
What protocols should be followed in notifying customers if you are a much larger business with thousands of customers? In these instances, sending out a letter to them in an expedient fashion would be the most prudent venue to take. But before the letters are drafted and sent off, very careful thought needs to be given as to how they will convey the message, that basically, their confidential information and data are at risk.
Here are the key areas that are to be considered:
1) Give very careful consideration to the tone and the voice of the letter:
In these instances, it is important to keep the language of the letter as soft as possible. In other words, it should be kept to the point, no-nonsense, and easy to read and understand. This will help to reassure your customer base that you are looking after their best interests, and that you will take care of them no matter how much efforts are needed on your part.
2) Tell your customers exactly what happened:
There is no need to reveal every bit of information, but your customers have a right to know as to what exactly transpired. This includes how the Cyber attack occurred, what was impacted, and the severity of it, and what the plans are to prevent this from happening again. Most importantly, you need to tell your customers that you are working closely with investigators and law enforcement in order to track down your hijacked information/data before even further damage occurs (such as subsequent Identity Theft Attacks). Also, offer to them free credit monitoring and Identity Theft protection. you are even important to include the relevant contact information so that they reach out to you with any concerns or questions.
3) Consider the audience of your customer base:
If your business is large enough or virtual in nature, the chances are that you will probably have customers that are international as well. You may be thinking at this point, if they are in a different country, why should they be notified? The bottom line is that they are still your customer, and the fact remains that their information and data resided on your servers; so therefore, you still have a legal obligation to inform them that their information and data are at risk. Therefore, it will be important to draft a letter in their respective language. In this regard, hiring a translator in the respective language is a must. This will ensure that any nuances in the language translation will not cause any further misunderstandings.
4) It must be understandable:
Just as it is important as it is to communicate what exactly happened and what has been impacted by the Cyber-attack, it is also equally important that the letter be understandable to read. In other words, there is no need for the techno-jargon, keep the substantial portion (which is about the Cyber-attack) to use bold headings and bullet points. Try to keep this part down to just a couple of paragraphs. Remember, when a customer reads this kind of letter, they normally just skim it at first. Therefore, the importance of the letter and the gravity of the situation must be conveyed the first time your customers read the letter.
Finally, after the letter has been drafted into its final form, an attorney should also review it to make sure that it complies with the federal laws, as described previously in this section.
This concludes our series on the need for proper Incident Planning. It not only enough just to have the document in place; it also must be rehearsed and practiced on a quarterly basis in order to keep it updated.