This whitepaper goes over the facts about data breach and identity theft, offers ways to prevent this from happening, and offers ways to do damage control after it does. http:www.nafcu.org/affinion
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Data Breach Response Guide for Credit Unions
1. 1-800-350-7209
www.breachshield.com
BreachShield
SM
Corporate Data Breach Solutions
Their information | Your reputation | Our experience. 100 Connecticut Avenue
Norwalk, CT 06850-3561
A S C B R E A C H S H I E L D | D ATA B R E A C H R E S P O N S E G U I D E
AFFINION SECURITY CENTER | BREACHSHIELD
Data Breach Response Guide
www.breachshield.com
3. Contents
1 Introduction
04 An Explanation of Affinion’s Expertise
05 The Facts About Data Breaches
What Is a Data Breach?
07 FAQ & Terminology
10 Case Study 1.1 | Insurance Services Company
2 Explanation of Laws
11 States That Require Disclosure
11 Red Flag Rules
3 Breach Preparation & Response
12 Preparation
12 Assemble Team
13 Documentation
1
13 Response/Protection
Introduction
15 Case Study 3.1 | Large Healthcare Company
16 Case Study 3.2 | Large Grocery Chain
4 Communication
17 Crisis Communication
20 Case Study 4.1 | The Largest Data Breach in History
21 Case Study 4.2 | Federal Government Agency
22 Case Study 4.3 | Financial Institution
5 Solutions
23 Notification
23 Enrollment Options
23 Member Services
6 Breach Recovery Materials
25 Sample Press Release
26 Sample Letter to Employees
28 Sample Letter to Customers
7 Resources
29 Industry Experts, Contact Leads
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 03
4. An Explanation of Affinion’s Expertise
For over 35 years, Affinion Group has provided customer engagement
solutions for more than 5,300 clients across multiple industries. In 1991,
Affinion Group launched the first identity theft protection service available,
PrivacyGuard®. With its development of IdentitySecure , acquisition of
SM
CardCops , and strong industry partnerships, Affinion has maintained its
SM
leadership by creating and delivering the most comprehensive, proactive
and preventative solutions in the marketplace.
Leading fraud experts, including Frank Abagnale, subject of the book and
movie Catch Me if You Can, have endorsed Affinion Security Center’s
Introduction
protection solutions.
As a natural extension to our world-class protection service suite, Affinion
launched BreachShield , a full service, rapid response data security breach
SM
response and delivery program. National and multi-national enterprises,
including those in the financial, retail and travel industries, partner with
1
Affinion Group for our BreachShield data breach solutions. Since 2007,
Affinion’s BreachShield services have been provided to over five million
individuals whose identities have been compromised by a security breach.
For more information on how to implement your breach strategy and
solution, please call a BreachShield security expert at 1-800-350-7209.
04 Their information | Your reputation | Our experience.
5. The Facts About Data Breaches
In the past 12 months, the number of identity fraud victims increased 22%
to 9.9 million adults, for an annual incidence rate of 4.32%.1 It is now more
important than ever to remember your customer’s experience during a
breach incident. The customers and/or employees should easily be able to
understand the breach solution you have put in place. Poor communication
and execution could cause a significant customer service challenge and
could lead to negative PR, heightened media scrutiny, and increased cost.
The total average costs of a data breach grew to $202 per record compromised,
an increase of 2.5% since 2007 ($197 per record) and 11% compared to
2006 ($182 per record).2
1
Introduction
Increasing incidents where third party is responsible; growing costs:
Since 2005, the percentage of incidents where a third party such as an
outsourcer or consultant was responsible for a data breach has increased
from 21% in 2005 to 29% in 2006 to 40% in 2007, to 44% in 2008. After
experiencing a large gap, the difference in cost for a data breach based on
responsibility has become increasingly stable. In 2005, the difference in per-
record compromised costs between third-party and internal responsibility for
a breach was $12. In 2007, that difference grew to $67, and in 2008 that
amount was $52. Third-party outsourcers or consultants often analyze or
process large volumes of customer-related information.2
1 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet as
Protection Increase
2 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 05
6. The Facts About Data Breaches (cont.)
• As of Oct. 1, 2008, 44 states and the District of Columbia require
companies to notify individuals (consumers or employees) regarding
a potential or actual breach
• Social Security numbers (38%) and names and addresses (43%)
were the data most frequently compromised. Although 15% of
victims suffered ATM or debit PIN compromise, and 13% credit PIN
compromise, only 9% of victims went on to experience ATM cash
withdrawls. Both fraudulent online and in-person purchases increased
in 20081
• The total annual fraud amount in 2008 measured $48 billion, versus $45
The three main forms of identity theft
billion in 20071 and their frequency, as determined
by the Federal Trade Commission,
through a survey of actual identity
• Increased availability of public information combined with easy Internet
theft victims.
access has left consumers vulnerable to far more devastating types of
identity theft • New accounts and other fraud
• Misuse of existing non-credit card
• Over 88% of all cases this year involved incidents resulting from account or account number
negligence. Per-victim cost for data breaches involving negligence cost
Introduction
• Misuse of existing credit card
$199 per record versus malicious acts costing $225 per person2 or credit card number
Identity Theft Resource Center Report,
• On average, consumers spent nearly $500 of their own money January 8, 2008
to clear up fraud3
1
• New account fraud cost the industry $18 billion and $579 per victim3
• Healthcare and financial services suffer highest customer loss:
Healthcare and financial services companies have the highest average
rate of churn – 6.5% and 5.5%, respectively. High churn rates reflect the
fact that these industries manage and collect consumers’ most sensitive
data. Additionally, the average cost of a healthcare breach ($282) is more
than twice that of an average retail breach ($131). Thus, another sign
that consumers may have a higher expectation for the protection and
privacy of their healthcare records3
• Trust may be intangible and hard to quantify, but the result of breaking
that trust is clear, as the cost of lost business represents 69% of the total
cost of a data breach3
• The majority of breaches in 2008 occurred at merchants and businesses
(37%), followed by the education sector (22%)4
1. Javelin 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet
as Protections Increase
2. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009
3. Javelin Strategy & Research 2009 Identity Fraud Survey Report
4. Javelin Strategy & Research 2008 Data Breaches
06 Their information | Your reputation | Our experience.
7. FAQ & Terminology
What is a data security breach?
In simple terms, a data security breach occurs any time there is
unauthorized access to company data.
How do data security breaches occur?
Lost laptops and system failure are the main causes of data breaches
(35 and 33% respectively). Within the classification of “systems
glitch,” respondents cited a number of different issues, including software
applications development that did not anonymize live customer data,
merger/acquisition activities in which customer data was sent to an
unrelated law firm by mistake, credit card processing systems infiltrated
by malware, social engineering attacks and insecure wireless connectivity,
among other IT-related glitches which caused a breach.1
1
Introduction
What is the impact of a data security breach on an organization?
The impact of a data security breach can be far reaching and long lasting.
This includes loss of data, compliance pressures, customer loss or attrition,
diminished trust, reduction in brand equity, litigation, and negative media
coverage. Any and all of these issues have the potential to erode shareholder
value and customer confidence. As such, the smooth execution of a
comprehensive breach response is critical to managing and reinforcing the
trust of your clientele. In fact, an effective response can actually transform
the negative implications of a data security breach into a valuable brand-
enhancing and loyalty-building opportunity.
How should I notify the impacted population that a data security breach
has occurred?
It is important to alert the impacted population in a clear, concise and
timely manner. However, merely informing your clientele of a data security
breach could prove catastrophic. A more effective post-breach strategy is to
brief clientele on the proactive measures you are implementing to protect
them. Taking a responsive leadership role in your communication strategy
can play a significant role in restoring – and even increasing – clientele
loyalty after a data security breach occurs.
1. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 07
8. FAQ & Terminology (cont.)
What should I offer to the impacted population of a data security breach?
What you provide to your clientele will depend on the risks ascribed to the
particular data security breach. However, general best practices include the
provision of:
• Credit reports from the three major credit reporting agencies
• Credit monitoring alerts
• Fraud alerts
• Identity theft insurance
• Identity fraud resolution services
Your ASC BreachShield consultant will be able to determine the most
effective benefits configuration based on the unique circumstances and
characteristics of your data security breach.
If a data security breach occurs, what am I required to do by law?
Each state has differing regulations about the reporting and recompense
for resolving a data security breach. In addition, if your organization
touches clientele across state lines, you may be subject to different compliance
requirements based on the location of the affected parties. You should check
Introduction
with your legal department regarding your legal requirements.
Why should I take action beyond my legal obligations?
There are many reasons to address a data security breach even if you are
not required to do so by law. In a world where information can be shared
1
instantaneously, you need to consider possible repercussions, should your
clientele be notified of your data security breach by another entity.
Additionally, notifying and protecting the impacted population reflects the
responsibility that your organization feels toward its customers, employees,
suppliers and other valued partners. Lastly, a seemingly negative event, when
handled well, can actually be leveraged as a relationship building activity.
What are Credit Monitoring and Alerts?
This service monitors changes to an individual’s credit records with one
of the national credit reporting agencies (Credit Bureaus). Members will
be notified of any changes to their records on file with that agency.
Those changes could include events such as new accounts opened or
a change in credit score.
What is Triple-Bureau Credit Report with Triple-Bureau Credit Score?
This service delivers Credit Reports and Credit Scores from all three major
credit reporting agencies. Customers also receive a comprehensive analysis,
detailing which factors impact their rating.
08 Their information | Your reputation | Our experience.
9. FAQ & Terminology (cont.)
What is the difference between Identity Fraud Resolution
and Identity Restoration?
Resolution services provide consumers with the tools they need
to remedy the negative impact of identity theft. Additionally, consumers
are provided with a dedicated caseworker who will work with the individual
throughout the duration of his or her case until all issues are resolved.
Identity Restoration requires that an individual sign over his or her power
of attorney to a third party who will then be responsible for the case.
Identity Restoration may be a source of concern to a victim because it
requires consumers to hand over power of attorney at a moment of crisis.
Also, the individual’s active involvement in his or her case mitigates risk
and ensures accuracy. With the help of ASC’s Identity Fraud Resolution
caseworkers, victims of identity theft will have all the tools they need to
resolve their cases.
1
What is a Fraud Alert?
A fraud alert is something that the major credit bureaus attach to your
Introduction
credit report. When you, or someone else, try to open up a credit account
by getting a new credit card, car loan, cell phone, etc., the lender should
contact you by phone to verify that you really want to open a new account.
If you aren’t reachable by phone, the credit account should not be opened.
Do Fraud Alerts always work?
Not necessarily. There are many forms of identity theft that do not pass
through the credit bureaus, thereby making a fraud alert alone insufficient.
That’s why ASC recommends a comprehensive solution that addresses all
the forms of identity theft cited by the Federal Trade Commission.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 09
10. Case Study 1.1: Insurance Services Company
Background
In Dec. 2007, a large provider of insurance products suffered a data breach
that impacted more than 500,000 people. The breach exposed personal and
financial information, including names, addresses, Social Security numbers,
bank account numbers, employer information, salary information, medical
insurance information and more.
Notification
The company alerted its partners, and began notifying customers in March
2008. It spent more than $700,000 to mail notification letters to the affected
population. However, the letters left many end-customers confused, because
they had no direct relationship with the parent company that experienced
the breach.
Due to budgetary constraints at the time, the breached company chose not
to offer any type of credit monitoring or identity theft protection to those
customers who had their information compromised.
Reaction
Case Study 1.1
Negative media stories about the company began to circulate and, combined
with legal pressures, caused the company to seek help from Affinion’s breach
response team. The company was interested in a low-cost breach solution,
as it only had a remaining budget of $500,000 to spend on a breach resolution.
The breach response team immediately implemented a second mailing to
all customers advising them that their information had been stolen, and
1
offering them identity theft protection services. Significant time and money
could have been saved had this company had a breach response plan in
place, and executed it immediately after discovering the breach.
Lessons Learned
Explain the relationship. Since the breached company in question was a
B-to-B service provider to the companies that consumers dealt with, the
consumers were confused by the notification letters.
Optimize call center communication. Call center agents should expect that
customers will be angry and scared when they call for more information.
Provide call center agents with facts, background information and remedies
so they can explain what happened, and offer the callers support.
Offer the solution to all customers. Offer identity theft protection services
to all of your affected or potentially affected customers. This may lessen
consumer anger, and in this case, may have made them less likely to file
the class-action lawsuit.
Plan your communication. Save time, money and damage to your company’s
reputation by planning your response to a data breach in advance.
10 Their information | Your reputation | Our experience.
11. Explanation of Laws
As of Oct. 1st, 2008, in addition to Washington DC and Puerto Rico, there
are 44 states that have breach notification laws. The only states that
did not have these laws are: Alabama, Kentucky, Mississippi, Missouri,
New Mexico and South Dakota.
Who is requiring compliance?
Federal Deposit Insurance Corporation (FDIC)
Federal Reserve Board
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
National Credit Union Administration (NCUA)
Federal Trade Commission (FTC)
Red Flags
Final rule adopted under sections 114 and 315 of the Fair and Accurate
Credit Transactions Act of 2003 (the “FACT Act”) regarding identity theft
red flags for financial institutions and procedures that users of consumer
2
reports should use in the event they receive notices from consumer
reporting agencies (“CRAs”) of address discrepancies.
Explanation of Laws
Section 114 of the FACT Act requires the agencies to jointly issue
regulations and guidelines identifying patterns, practices and specific
forms of activities that indicate the possible existence of identity theft.
Section 114 also directs the agencies to prescribe joint regulations requiring
each financial institution and creditor to establish reasonable policies and
procedures to identify possible risks to account holders or customers.
The rules went into effect on Jan. 1, 2008, and compliance is required
by May 1, 2009.
What is required?
The new rule requires financial institutions to implement a written
program designed to detect, prevent and mitigate identity theft in
connection with a covered account.
The program must be tailored to the institution’s size, complexity
and the nature of its activities. The program must also contain reasonable
policies and procedures that:
1) Identify relevant Red Flags for covered accounts and incorporate them
into the program.
2) Detect Red Flags that have been incorporated into the program.
3) Respond appropriately to any Red Flags that are detected to prevent
and mitigate identity theft.
Information concerning legal
aspects of security breaches may 4) Ensure the program is updated periodically.
have changed since the publication
of this booklet. Always consult
your legal counsel regarding to
The program is to be approved by the institution’s board of directors
security breaches. or an appropriate board committee.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 11
12. Breach Preparation & Response
It is important to prepare and plan ahead by completing a Data Breach
Incidence Response Plan. Should a breach occur, you are well-positioned
to move swiftly by following your completed Data Breach Incident
Response Plan. It is important to document all ongoing events, all
people involved and all discoveries into a timeline for evidentiary use.
BreachShield’s data security professionals are experts at developing effective
data breach solutions for before, during and after a breach incident. However,
advanced preparation can greatly reduce the time it takes to resolve a data
breach, as well as minimize the inevitable panic and confusion that stems
from such a critical event. Contacting BreachShield prior to an actual
breach enables your organization to have an effective response strategy
already in place and ready to implement at a moment’s notice.
Another helpful tactic is to develop a set of breach scenarios that could
affect your clientele, and define the tasks that need to be accomplished to
help resolve potential issues. In addition, designating the incident response
teams and assigning specific tasks to each team member before a breach
Breach Preparation
will help familiarize the responsible parties to their duties, streamlining
response times and reducing the chance of error during an actual breach.
& Response
Incident Response Action Plan
Once confirmation is established, it is essential to execute a timely
incident response plan.
3
Assemble your incident response team
Designating the members of the incident response team – and providing
the necessary training – prior to the actual data breach will provide quicker
recovery and cost savings over the use of ad hoc teams. BreachShield
recommends that your incident response team include at least one senior
member from each of the following departments:
• Executive Management
• Legal
• Customer Service
• Public Relations
• IT
• Compliance
• Risk Management
12 Their information | Your reputation | Our experience.
13. Breach Preparation & Response (cont.)
Select an incident response project lead
In our experience, the best incident response project leads demonstrate an
acute understanding of the organization’s current customer relationships
and are able to strategize effective ways to preserve brand equity.
Document all relevant information
Accurate documentation of the events leading up to, during,
and after the data breach will aid in both the incident response team’s
investigation as well as prevent future occurrences. BreachShield suggests
compiling the following information while simultaneously preserving all
evidence in its original form:
• Date and time of data breach
• Method of data breach
• Extent of data breach
• Quantity and identifying factors of the impacted population
3
Your BreachShield consultant will be able to determine the most
& Response
Breach Preparation
effective benefits configuration based on the unique circumstances
and characteristics of your security breach.
Restore and reinforce the breached data
The measures taken by the incident response team are dependent on
the type and scope of the specific data breach incident. Some standard
protocols include determining the point of compromise and securing it,
managing the affected systems and enacting preventative measures.
Protect the affected population
BreachShield recommends taking a proactive and thorough approach
toward protecting the affected population. This can help the impacted
organization meet compliance standards, reduce potential liabilities and
position itself as a responsible leader. It also helps preserve brand equity
by maintaining control of the notification process as opposed to risking
awareness through other sources.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 13
14. Breach Preparation & Response
Please remember that every situation is different and some situations may
not require you to notify your customers. Depending on the type of data
that was breached, a letter may or may not be required. Always consult your
legal counsel. If your counsel deems it necessary to contact your customers
and/or employees please consider the following:
The sooner you notify anyone involved the sooner they can take action
to protect themselves.
It is crucial that all notification be clear and concise. Customers should
understand the company is aware of the problem and that it is taking
steps to help with a resolution.
Communication of this sort requires great care, as improper notification
could actually lead to more financial loss. BreachShield helps organizations
of all sizes carefully tailor their incident response notification strategy to
minimize potential disruptions while simultaneously placing the affected
population at ease.
Breach Preparation
BreachShield’s security experts are available 24/7 to develop timely,
effective data breach solutions that address the needs of your specific
& Response
incident and organization. We can help with: list management services,
notification letter development, printing and mailing services and call
center support (pre- and post-enrollment).
3
14 Their information | Your reputation | Our experience.
15. Case Study 3.1: Large Healthcare Company
Background
On Mar. 26, 2007, the names and Social Security numbers of 17,000 current
and former employees of a major healthcare corporation were compromised
when the spouse of an employee downloaded peer-to-peer file sharing
software onto a company-issued laptop.
Notification
Nine weeks after the company confirmed the exposure, it notified the
affected employees in a well-written letter, outlining how the data was
exposed and what steps the company was taking to help protect those
affected. In addition, the company issued one year of free credit monitoring
services and a $25,000 insurance policy to each individual affected. The
company’s notification letter also provided information and resources for
those affected, including a phone number people could call for further
information about the breach and instructions for how to sign up for the
free identity theft protection services being offered.
3
The company reinforced its response by dedicating a portion of its website to
the breach, providing information and an extensive Q&A section to help
Case Study 3.1
victims understand what happened and how they could get help.
Reaction
This company was highly scrutinized by the media as a result of the breach,
especially because it took nine weeks to alert the employees affected. After
the breach, data security experts questioned whether the company had
taken adequate precautions to prevent breaches related to the use of laptops,
saying that encryption devices and other security measures could have
prevented the loss of data. The breach spurred an investigation, and a
subsequent civil lawsuit by the Connecticut Attorney General, where at
least 300 victims of the breach resided.
Lessons Learned
State laws can complicate the response. Creating a response that is
compliant with the laws of each state where the victims live can be
a big challenge.
Offer help in the notification letter. Relevant phone numbers, websites and
information on the remedies offered and precautions to take are valuable
and reassuring to those individuals affected.
Post information on website. Consumers, employees, investors and the
media look to the Internet for information, so it is important for all
pertinent information to be available on the company website.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 15
16. Case Study 3.2: Large Grocery Chain
Background
On Feb. 27, 2008, a large grocery store chain became aware that
it had been exposing customer data for several months, via malware
installed on 300 of its computers. It was determined that 4.2 million unique
credit and debit card numbers with expiration dates were compromised
during the store’s authorization process. The breach occurred despite the
fact that the grocery store received PCI certification in 2007, underwent
periodic vulnerability scans, and was re-certified in 2008.
There were approximately 1,800 cases of reported credit and debit card
fraud stemming from the breach in the months that followed.
Notification
On March 17, 2008, the company notified customers of the breach
via a letter on its website from the CEO, who stated: “No personal
information, such as names or addresses, was accessed.”
The media speculated that the company was lying about how much
information was exposed, deducing that of the 1,800 victims who reported
Case Study 3.2
fraud stemming from this breach, those must have been names associated
with the stolen credit card numbers and expiration dates.
Reaction
Days after the CEO’s note was posted, the company found itself defending
a class-action lawsuit, filed on behalf of customers whose credit or data
was stolen.
3
The suit maintained that because of the company’s inadequate data security,
its customers had their personal financial information compromised, were
exposed to the risk of fraud, have incurred and will continue to incur time
to monitor their accounts and dispute fraudulent charges, and have
otherwise suffered damages.
Lessons Learned
“Compliance” does not mean “security.” Prepare for the worst. Although
PCI compliance is considered extremely safe, it is not a shield against data
breach. Even when technical standards are met, it is important for every
company to prepare for a potential breach.
Use a multichannel approach to reach affected parties. When responding to
a breach, it is important to contact as many affected customers as possible.
This company did not send notification letters via mail, and opted instead
to post a statement to its website. Only customers who visited the site were
notified directly of the breach.
State the facts. The CEO’s statements were called into question by
the media and the public as 1,800 cases of identity theft were reportedly
linked to the data exposure.
16 Their information | Your reputation | Our experience.
17. Communication
The nature of crisis communication
Data breaches, because they pose a significant threat to the business,
financial, operational and “reputational” health of a company, are
considered crisis events.
Crisis events occur within all organizations and, depending on how they are
handled, can either reinforce a positive reputation or irreparably damage a
brand. That is because a crisis focuses the attention of customers, partners,
employees, investors and the general public on an organization, and cause
every action to be closely observed, with each action taking on far greater
significance. In other words, the stakes are high, and the world is watching.
Beyond any legal concerns that the company must consider in the event of a
ICR is a strategic communications
breach, the purpose of communication is to protect the brand and reinforce
and investor relations firm with a
crisis communications practice customer relationships.
devoted to helping companies
minimize reputational damage from Clear, controlled communication of what happened, when it occurred, who
crisis situations. The firm has guided
several large institutions through was affected and what is being done to rectify the situation is important for
4
data breach crises by helping them navigating a breach crisis and minimizing brand damage.
to define, develop and deliver the
communications that meet the
Communication
needs of clients, partners, Time is of the essence
investors and the media.
The most valuable commodity in a crisis situation is time. As soon as the
The guidelines and case studies breach is discovered, it is important to gather information and quickly
here provide some information on determine the appropriate action steps. Although there is some danger in
how to react in the event of a data
breach. If your company needs overreacting to a given situation or prematurely sounding an alarm, the vast
additional crisis communication majority of mistakes are made in assuming something is not a problem or
support, please visit www.icrinc.com
or call (203) 682-8218. that it will just “go away.” A data breach will not go away if it is ignored,
and the outcomes always get worse over time.
Breach communication principles
In response to a breach, it is important to incorporate the following core
principles in all internal and external communication:
1) Honesty – Always the best policy, and never more important than in a
data breach situation where trust and corporate credibility may already be
strained. Being forthright and open with information will win points and
actually give management more room to operate.
2) Speed – Success or failure in handling a breach is often a function of
time. It is critical to move quickly and make the best decisions possible.
Having a breach plan in place greatly facilitates quick decision making.
3) Control – Update stakeholders with the latest information, as you get it.
Anticipate questions and be there first with information and answers.
4) Facts – Nothing is more important than ensuring the most accurate
portrayal of events possible. In all cases, correct the record where necessary
and do not allow unsubstantiated or erroneous information to go
unchallenged. Do not speculate, always deal with the facts and never guess.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 17
18. Communication (cont.)
Breach communication goals
The goal in responding to a data breach is to act and behave at every point
during the process in a way that is consistent with the company’s values
and culture, and at all times place the highest priority on the safety and
satisfaction of customers, employees, partners and other stakeholders.
All communications should be designed to best achieve the following:
Internal Communication:
• To ensure accurate, consistent and timely communication
• To eliminate or minimize confusion and rumors
• To provide guidance and channels for sound internal decision making
External Communication:
• To maintain the trust, confidence and respect of customers,
employees, shareholders, analysts, business partners, public officials
and the community
• To maintain credible and productive relations with the media
• To minimize the impact on the company’s brand equity,
Communication
operations and sales
Media communications
During the course of the breach, and its disclosure, the company may get
requests from the media for interviews. It is absolutely essential that
communication with the media be highly measured and controlled.
4
Discussion should focus on the facts of the breach, and what is being
done proactively by the company to control the situation and protect those
affected. If possible the company should always offer a comment, even if it
is limited in substance or information. “No comment” should be avoided
and every effort should be made to avoid “the company was unavailable
for comment.”
Communication should also be tightly controlled. Only an authorized
spokesperson should respond to media requests and the number of executives
allowed to comment to the media should be limited. In order to underscore
how serious the company considers the breach, it is best if a senior executive
is designated as the spokesperson.
18 Their information | Your reputation | Our experience.
19. Communication (cont.)
General media communication guidelines
The following five steps provide a helpful framework for response to
the media. Every communication should seek to include these elements.
Five steps to prevent F.E.A.A.R
1) Facts – Communicate what you know and don’t know.
Correct inaccuracies. Never speculate.
2) Empathy – Always express concern for affected parties. Be human.
3) A ccountability – Demonstrate that you will do everything to assist
(even if it’s not your fault!).
4) A ction – Be explicit about what you are doing.
5) Remediation – Apologize. Fix what is broken and ensure it won’t
happen again. Discuss plans to prevent similar incidents from
occurring in the future.
Answers may not be available for all questions pertaining to the
4
breach. When information is unavailable or inappropriate for public
dissemination, the company should state that it is working to gather
Communication
relevant information and will make it available as soon as possible.
Case Studies
Over the past few years, data breach incidents have greatly increased.
And because the number of identity theft victims has also increased, data
breaches continue to capture more attention from the mainstream media
and the public at large.
In creating a Data Breach Response Plan, it is important to look at how
other companies have responded, and what outcomes resulted from their
actions. There are unique lessons that can be learned from each response.
The case studies in this book provide an overview of different types of
companies and how they responded to different types of breaches.
While the specific actions each company took were different, there are
two lessons that applied in every situation:
• Timing is Critical: In almost all of the cases below, the companies involved
were slow to alert customers to the breach, which led to panic among
customers and negative perceptions from the media and the public. Keep
in mind that promptly alerting customers and the media demonstrates a
proactive interest in keeping customers safe and in finding a solution to
the situation.
• Develop a Plan in Advance: No matter what unique circumstances a breach
presents, companies with a Data Breach Response Plan in place are able to
react more quickly and professionally. Being prepared is the key to a
successful response.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 19
20. Case Study 4.1: The Largest Data Breach in History
Background
This data hack went undetected for five years, involved several national
retailers, and exposed the credit card data of 41 million people. The method
used to access the data was not particularly sophisticated. The thieves were
“wardriving” or driving around in a car testing Wireless local area networks
(WLANs) and exploiting security holes to gain access to customer data,
including credit card numbers, expiration dates and security codes.
Notification
Without the proper tracking systems in place, it was exceedingly difficult to
establish how long the fraud had been occurring or how many customers
were affected. The retailer then came under heavy criticism for what many
considered a slow and sloppy response. The company was also criticized for
not disclosing the breach until a month after it was first discovered.
The company was eventually forced to offer credit monitoring to a small
subset of affected customers, as a result of a lawsuit settlement. It also held
a special sale for its victimized customers and gave them a $30 voucher to be
used in its retail locations, provided that the customers provided written
Case Study 4.1
documentation of the time or money lost as result of the incident.
Reaction
A few months following the disclosure, the company received 11 subpoenas
from different state attorneys general. There were many lawsuits filed
against the company in federal and state courts, brought forth from banks,
credit card issuers, state government officials and groups of affected North
4
American customers. The company suffered more than $200 million in
losses related to the theft. The negative publicity surrounding this incident
continues, years after the breach was discovered, and almost nine years after
the breach first began.
Lessons Learned
Investigate the breach. The company’s lack of an appropriate data tracking
system led to consumer confusion and speculation, which resulted in fear.
Offer the solution to all customers. The company was criticized for offering
credit monitoring to only a small subset of affected customers, and for the
fact that the monitoring was only offered as a result of a lawsuit settlement.
The remedy should fit the offense. Consider that victims who spent time and
money trying to reclaim their stolen identities and recoup their losses may
see a token (such as a $30 coupon) as an insult.
Provide updates. Demonstrate a concern for customers and a concern about
the outcome of the case by providing customers and media with needed
periodic updates of new findings and case status.
20 Their information | Your reputation | Our experience.
21. Case Study 4.2: Federal Government Agency
Background
On May 22, 2006, a large federal government agency announced that
26.5 million Social Security numbers were compromised as the result
of a stolen laptop that contained unencrypted personally identifiable
information. It was later revealed that the incident had actually occurred on
May 3, 2006, but that the agency’s top official was not notified until May 16,
2006. This delayed notification of the FBI until two weeks after the burglary.
Less than a month later, the agency warned that an additional 2.2 million
citizens also had their data compromised, for a total of 28.7 million
breached records.
Notification
On Aug. 10, 2006, the agency mailed notification letters to the individuals
whose information was found on the missing computer, which was
recovered by the FBI.
The House Government Reform Committee also held a hearing to discuss
4
the incident and the Government Accountability Office (GAO) issued a
report the following year.
Case Study 4.2
To support the potential victims, the agency devoted the home page
of its website to notifying affected citizens. It posted an extensive Q&A
section on the site which provided information about how the breach
occurred, what steps people could take to monitor their personal
information and who to contact if they suspected fraud. The agency also
created a hotline staffed by call center employees to answer questions.
Reaction
There was a significant amount of media coverage when the incident was
announced. The media stories emphasized that the agency had waited two
weeks to disclose the incident, putting the citizens whose data had been
exposed at risk and denying them the opportunity to protect themselves.
As a result of the incident, at least three class-action lawsuits have been filed
against the agency and its secretary.
Lessons Learned
It can happen to you. Each year data breaches become more common.
Be prepared, and have contracts in place. It is important to develop a breach
response plan, and an internal process for rapid response. This can help
companies react to a breach more quickly.
Promote a culture of awareness and reporting. In order for companies to
detect and react to a breach, each person in the organization must know what
to look for and who to tell, so top executives can then put a plan in place.
Educate all staff. It is important to circulate information on data breaches
to employees, and make sure everyone knows what to look for, and how
they should react to a potential breach.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 21
22. Case Study 4.3: Financial Institution
Background
In 2008, a major financial institution’s backup data storage tapes
(containing customer data that included Social Security numbers
and bank account information) went missing – twice. During the first
incident, the unencrypted tapes were lost while in transit to a storage
facility by the company’s courier. The second incident occurred again while
unencrypted data storage tapes were being moved by a commercial carrier.
Notification
The company was criticized for not disclosing the loss of customer data in a
timely manner. While the first incident occurred on Feb. 27, 2008, it appears
that the financial institution did not notify its affected partner institution
that it had lost the data until May 2008. The partner financial institution
then informed the Connecticut attorney general, who made a public
announcement about the incident and called for an investigation. The
attorney general and the media were highly critical of the financial
institution and questioned the long delay in notification. The financial
institution sent letters to all of the affected customers, an ongoing process
that took several months, as the institution uncovered an additional four
Case Study 4.3
million affected customers.
Reaction
Because of the delay in notification and because the company did not
actually announce the loss of customer data, the media and public reaction
was highly negative. The company’s initial response to the incident was an
offer for one year of credit monitoring for the affected customers. However,
4
as a result of the attorney general’s investigation, it later extended that offer
to include two years of monitoring, increased the amount of identity theft
insurance coverage from $10,000 to $25,000 and said that it would
reimburse for the cost for placing a security freeze on a credit file.
Lessons Learned
Take control of the disclosure. Allowing an outside entity to announce
a breach – in this case, the Connecticut Attorney General – puts your
company on the defensive, battling legal forces and negative public
perception. Disclosing as soon as possible helps mitigate the inevitably
negative reaction.
Indicate empathy for those affected. Customers see the bank as a
trustworthy entity – and after a breach, they may feel a tremendous lack
of that trust and confidence. Ensuring that customer-centric messaging is
included in the disclosure of a breach helps shape a perception among
customers that the company has their best interest in mind.
Post the customer letter on your website. However, even though the number
of affected customers may number in the millions, timely notification of
customers through a mailing is still important.
22 Their information | Your reputation | Our experience.
23. Solutions
Notification
Affinion Group recommends using Affinion Security Center to handle all
aspects of notification to the impacted population. At a very cost-effective
rate, given our unique experience and scale, not only can we draft the
notification letter, we will consult on PR strategy and ensure that the
impacted population is contacted quickly and efficiently.
Enrollment
We provide the greatest number of options available in the industry to
ensure that your customers can enroll quickly, easily and via the means
most convenient. We offer the following enrollment options:
Full File Enrollment allows your company to quickly protect all impacted
members. The partner will supply a full file of names via a secure method
to Affinion for enrollment.
Voice Response Unit (VRU) allows customers to enroll via telephone by
simply entering the unique encrypted activation code provided in the
5
notification letter.
Online allows customers to enroll via a dedicated URL by simply entering
Solutions
the unique encrypted activation code provided in the notification letter.
USPS enrollment allows customers to enroll by filling out an enrollment
form and returning it via USPS.
Protection Benefits
To help keep the customer’s identity safe, Affinion’s data breach products
offer comprehensive identity theft protection including: credit monitoring,
the credit information hotline, credit reports and the credit card registry
service, ID theft insurance, dedicated fraud resolution specialists, automated
fraud alerts, and Internet monitoring. Affinion’s specialists will help your
company choose the best options based on the severity of the breach and
the type of data lost.
Resolution
As part of your company’s BreachShield solution, all customers enrolled
in credit monitoring will have access to Affinion’s Identity Fraud Support
Services (IFSS). Our Identity Fraud Support includes all aspects of helping
our members resolve identity fraud or theft. Members will receive the following:
• A dedicated FCRA-certified caseworker who will provide direct contact
information to the member and follow the case through to resolution
• Victims of identity fraud will receive a six-month complimentary
term extension of the PrivacyGuard credit monitoring service ensuring
continued protection during resolution
• Advice on placing fraud alerts at each of the three major credit bureaus
• Assistance requesting a current credit report from the three credit bureaus
• Analysis of areas that could be impacted by the fraud
• In certain instances, the resolution specialist will assist members
by attending conference calls and drafting letters and forms
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 23
24. Solutions (cont.)
• Information on contacting law enforcement officials and the FBI
• Assistance with any travel arrangements necessary for fraud resolution
• Victims receive a personalized Fraud Resolution Kit via overnight mail
which includes:
– Educational information and resource contact information for relevant
government agencies and financial institutions
– Personalized dispute letters to send to credit bureaus and financial
institutions as well as extra copies for reference
– Instructions on how to file a police report, request a personal Social
Security statement, and a worksheet for victims to track activities and
time spent resolving identity fraud issues
Credit Monitoring and Alerts
This service monitors changes to an individual’s credit records with one
of the national credit reporting agencies (credit bureaus). Members will
be notified of any changes to their records, including any new accounts
opened or a change in credit score.
Internet Fraud Monitoring
A sophisticated, real-time, early warning technology monitors various
Solutions
underground chat rooms where thieves sell and trade stolen information.
Members are notified via e-mail if their personal information is discovered
as compromised – often before the financial institution is notified.
5
Automated Fraud Alerts
When an application for credit is made in the member’s name, either by the
member or somone else, the member receives a confirmation phone call
allowing them to approve or deny the new credit request.
Triple-Bureau Credit Reports & Scores
Members receive current credit reports and credit scores from all three
major credit reporting agencies, including a comprehensive credit analysis.
Identity Theft Insurance
ID Theft coverage is available at various levels.
Credit Information Hotline
Members can call the Credit Information Hotline toll free to speak to
an FCRA-trained representative. These highly trained representatives walk
members through their credit reports and answer questions about credit
records or alerts received.
Credit Card Registry Service (Lost/Stolen Service)
This service gives members the chance to centralize and store information
from credit, bank, department store and oil company cards in a single, secure
location. Should these items ever get lost or be stolen, members can cancel
these cards and request replacements – all with one toll-free phone call.
24 Their information | Your reputation | Our experience.
25. Breach Recovery: Sample Press Release
[Company Name] Victimized by [Data Breach/Computer Intrusion]
Provides Helpful Information to Protect Customers
City, State– [Company Name] announced today that it suffered [Describe
Breach Incident: an unauthorized intrusion into its computer systems; loss of
data from a stolen computer] which contained information related to customer
transactions. [Describe the number of customers affected: Company is
launching a full investigation to determine the full extent of the theft and
number of affected customers; Company believes that XX customers may have
had their personal information compromised]. [Give more details on which
systems, brands and locations were affected] The data breach involved
[Company’s] payment processing system that handles credit card, debit card
and check transactions for its [stores/customers] throughout [the United States,
Europe, Texas]. Company immediately alerted law enforcement authorities of
the crime and is working closely with them to help identify those responsible.
Company is also cooperating with credit and debit card issuers and providing
them with information about the incident.
Company [is launching/has launched] a full investigation of the breach with the
assistance of leading computer security and data analysis firms to determine
what customer information may have been compromised. [Company] expects
6
to provide its customers with more information as it becomes available. Since
the intrusion, [Company] has taken steps to secure its computer network and
Reference Materials
Breach Recovery:
systems to prevent this type of incident from occurring in the future.
“We are extremely concerned about this event and the difficulties it may cause
our customers. Since discovering this crime, we have implemented the highest
security measures to ensure the safety of our customers, and will work with
them to help restore any compromised information. Our customers remain the
first priority for [Company], and we will continue to inform them as we
uncover additional details about the incident,” says [Name, CEO of Company]
Information For Customers
[Outline actions customers can take and resources available]
To help protect its customers, [Company] has notified the three major credit
bureaus in the U.S. of this incident, as well as the attorneys general in the
affected states. [Company] has also retained [Identity Theft Protection
Company], a specialist in identity theft protection, to provide customers with
[X] years of identity theft protection and restoration services, free of charge.
Customers who have questions about the incident or who wish to enroll in the
identity theft protection program can do so by calling [Company’s] dedicated
helpline toll free at: XXX-XXXX in the United States and (XXX) XXX-XXXX
in Canada or by visiting [Company’s website address].
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 25
26. Breach Recovery: Sample Letter to Employees
[Date]
Dear Customer/Employee:
We are writing to let you know that we have become aware of a data privacy
breach affecting an estimated XX [customers, colleagues, individuals]. It appears
that the breach developed when [briefly state how the beach occurred].
[Company] has been working with outside consultants to review the exposed
data quickly and thoroughly. At this point our review is not complete, but we
believe that some of the following information may have been exposed: your
name; Social Security number and/or Taxpayer Identification number; home
address; home and/or cellular phone number(s); fax number; e-mail address;
credit card number; bank account number; passport number; driver’s license
number; military identification number; birth date and signature.
So far there is no indication that any unauthorized person has used or is
misusing the information that was [stolen, accessed, compromised].
Nonetheless, we want you to know now, and to have tools and information to
help you prevent and detect any misuse. [Company] has notified law
enforcement and, to help protect you, has retained [Identity Theft Protection
Company], a specialist in identity theft protection, to provide you with [X]
Reference Materials
Breach Recovery:
years of protection and restoration services, free of charge.
You can enroll in the program by following the directions below. Please keep
this letter; you will need the personal access code it contains in order to register
for services.
The [Identity Theft Protection service] package that [Company] has arranged
provides these protections for you:
• Credit Monitoring: unlimited access to your credit report and score and will
notify you via email of key changes in your credit report that may indicate
6
fraudulent activity.
• Fraud Resolution Representatives: Expert guidance if you suspect that your
personal information is being misused.
• Insurance Reimbursement: [$XX] of Identity Theft insurance [describe details]
[Company] has advised the three major U.S. credit bureaus about this incident.
We gave a general report, alerting them to the fact that the incident occurred;
[Company] has not notified them about the presence of your specific information
in the removed data. [Company] has also notified the attorney general’s office in
your state of residence about this incident, as well as other officials where
required by law.
26 Their information | Your reputation | Our experience.
27. Breach Recovery: Sample Letter to Employees (cont.)
Additional Ways to Help Protect Yourself
Besides registering for the free protection services that [Company] has arranged,
there are other things that you can do to help protect yourself from fraud or
identity theft.
We advise you to remain vigilant against the possibility of fraud and/or
identity theft by monitoring your account statements and credit reports for
unusual activity.
When you receive your credit reports, review them carefully. If you see anything
you do not understand, call the credit reporting agency. If you do find suspicious
activity on your credit reports, call your local police or sheriff ’s office and file a
police report of identity theft. Make sure to obtain a copy of the police report
because you may need to provide the report to creditors to clear your record.
You also should file a complaint with the Federal Trade Commission (FTC) at
www.ftc.gov/idtheft or at 1-877-ID-THEFT (1-877-438-4338). Your complaint
will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be
accessible to law enforcers for their investigations.
Even if you do not find suspicious activity on your initial credit reports, the FTC
suggests that you keep checking your credit reports periodically. Identity thieves
6
sometimes hold on to personal information for a period of time before using it.
Checking your credit reports periodically can help you spot potential problems
Reference Materials
Breach Recovery:
and address them quickly.
We encourage you to consider all options to help protect your privacy and
security, and in particular, we encourage you to take advantage of the credit
protection services we have arranged for you with [Identity Theft Protection
Company], at no charge to you.
How to Sign Up for the Identity Theft Protection Services
You may sign up for the protection services free of charge, either by calling
a special toll free number [1-800-XXX-XXXX].
You may also enroll online by visiting [website]. To sign up, just enter
the access code provided below and disregard any pricing information.
Your Access Code: [insert access code]
We encourage you to enroll and activate your credit monitoring quickly.
Please note that the deadline for enrolling in this service is XXX.
[Company] takes your privacy very seriously and will continue to monitor this
situation. We have modified the computer system where this information was
stored and enhanced security for other computer systems as well. Should there
be any significant developments, we will notify you.
If you have questions or wish to request more information from [Company],
please send us an email at [email address] or call us at [phone number].
[Company] understands how important it is to maintain the security and
confidentiality of personal information. Again, we regret any inconvenience
that may result from this incident and encourage you to take full advantage
of all resources to help protect your personal information.
Sincerely,
[CEO or Privacy Officer]
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 27
28. Breach Recovery: Sample Letter to Customers
Dear [Name]:
We are writing to inform you about possible fraudulent activity involving your
personal information. We take these matters very seriously and this incident is
being investigated. As a result of unauthorized access to our computer system,
information such as your name, address, telephone number, Social Security
number, card account number, and PIN may have been accessed by
unauthorized parties. You will not be responsible for unauthorized fraudulent
activity resulting from this situation.
We are working with law enforcement authorities to investigate the situation,
and to ensure that this does not happen again. At this point, our investigation is
still ongoing, however we would like to make sure that your personal
information is protected.
What we are doing to protect your personal information:
We are offering you a complimentary one-year membership in PrivacyGuard®.
PrivacyGuard is a national subscription credit monitoring service that provides
you with access to your credit reports and daily monitoring of your credit files
from all three national consumer reporting agencies. To take advantage of this
service, you must sign up by [date].
Reference Materials
You may enroll for your free one-year membership in PrivacyGuard® in one of
Breach Recovery:
three ways:
1) Sign up online at [Insert URL] and enter the requested information.
2) Sign up by telephone using the automated system by dialing
1-800-XXX-XXXX.
3) To sign up via postal mail, please complete, sign and mail the enclosed
enrollment form.
What you can do to protect your information:
Attached to this letter is a list of steps you can take to help prevent identity theft.
6
If we can assist you further, please call our toll-free number at 1-800-XXX-XXXX
from 8 a.m. EST to 8 p.m. EST, Monday through Saturday. You may also visit
[company website] for more information.
Sincerely,
[Name]
Chief Operating Officer
28 Their information | Your reputation | Our experience.
29. Breach Recovery: Resources
Security Industry Experts
Affinion Security Center | BreachShield
www.affinionsecuritycenter.com
www.breachshield.com
Public Relations, Investor Relations & Crisis Communications
ICR, Inc.
www.icrinc.com
Federal Trade Commission
www.ftc.gov/bcp/edu/microsites/idtheft
Consumer Protection Groups
Identity Theft Resource Center
www.idtheftcenter.org
7
Resources
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 29