Public Relations in Face of a Data Breach: Risk and Preparation

A Q&A with Robert McEwen of McEwen & McMahon
Among the multitude of risks posed by data insecurity is a company’s reputation. In the past, ineffective communications about a data breach often has led to greater financial loss for victimized companies, such as when customers speak publicly about their negative experiences and damage brand equity), or when victims feel their concerns are not being taken seriously and seek recourse through legal action. So how can organizations prepare to communicate effectively in case sensitive information ever is compromised? We spoke with Robert McEwen of McEwen & McMahon to find out.

Why should clients care about PR as it relates to data breach/privacy violations?
Data breaches can erode trust in a company and damage its reputation. What wise business leaders have come to understand is that reputation has quantitative value. It is just as tangible as inventory, receivables, real estate or any other asset on the corporate balance sheet. Year-over-year analyses of Fortune magazine’s annual ranking of “Most Admired Companies” illustrate the indisputable cause-and-effect relationship between reputation and market capitalization. Moving up or down a single notch in a company’s industry sector rankings on average translates into a gain or loss of more than $100 million in shareholder value. It’s only common sense to take every precaution to protect and defend such a precious asset by investing in strategic communications counsel.

How can clients prepare to better manage their brand and mitigate future liability following a data breach event?
Data breaches are an unfortunate fact of life in a digital society. They are as ubiquitous as fires. The question is not whether they will happen, but when. Never, therefore, has the old adage “an ounce of prevention’s worth a pound of cure” held more true than when managing network security. It is far more economical to monitor, identify and deal with potential security issues in advance than to ignore them until some triggering event thrusts an issue before the klieg lights of the media. That’s when a company finds itself in the docket of the court of public opinion, where the jury most often presumes guilt, not innocence, and the trial is almost always a costly one. Such messes often can be avoided if only business leaders would make relatively small investments in crisis preparedness plans and rehearse them regularly.

Every manager with data breach response authority ought to have the crisis management plan filed and posted as an icon on his or her desktop. The plan should include specific scenarios for a variety of different occurrences—whether caused by a stolen laptop, a technology glitch, or a malicious hacker. Such pre-planning enables companies to deal with the situation more effectively than scrambling frenetically at the last minute.

In my experience, most stakeholders understand that data breaches are inevitable to an extent and they will be relatively forgiving if a company handles such an incident efficiently and straightforwardly. If, however, they perceive anything less than full transparency, then stakeholders can be ruthlessly unforgiving. That’s where the rubber meets the road and companies can suffer a significant bottom-line impact.

How much can PR services cost for a large/medium/small business?
The best way of estimating the cost of preparing for or responding to a data breach is to use the PR Cost Calculator that McEwen McMahon and NetDiligence developed for the eRisk Hub.

Generally speaking, the kinds of variables that impact PR costs mostly have to do with the size and scope of the breach, and the company’s degree of readiness to deal with it. How many stakeholder audiences are affected and how large are they? How sensitive is the information that’s been compromised? (Credit card data? Social security numbers? Private health information?) Does the company have internal PR capability? Is there a crisis communications plan? How up-to-date is the plan? Have employees rehearsed it?

Depending on the answers to these questions, PR costs can range from tens of thousands to hundreds of thousands of dollars. But far more important than the immediate cost of retaining outside PR counsel is the potential cost to a company’s reputation. Millions of dollars in brand equity that has taken decades to build can be wiped out instantaneously if a company’s response to a data breach is — or is perceived to be — inadequate.

In conclusion …
What most impressed me about Robert McEwen when I met him a year or so ago, was that he was talking about the value of PR. He recalled the Tylenol case (of 1982), and how that was a classic example of excellent media management and customer communication, while the BP oil spill in the Gulf showcased the opposite. Bob felt there are strong similarities to properly handling a massive data breach event. I think he is spot-on, especially if you look at some of the largest publicly reported data breach incidents and how they were handled in the public forum. There is a strong argument for having a professional PR team in place to significantly help mitigate the risk exposures facing many businesses when the inevitable data breach or leak occurs

Safeguarding Data: Encryption, Tokenization and Hashing

A Q&A with Winston Krone of Kivu Consulting
Encryption is a best practice that helps safeguard private data “at rest” (in the database). However, most companies don’t deploy encryption. Instead, they might say they use “compensating controls” instead of encryption, which include the tokenization or hashing of data. To find out more about the differences between encryption, hashing and tokenization and the relative advantages and disadvantages to each approach, we spoke with Winston Krone, managing director of Kivu Consulting, which offers investigation, discovery and analysis to businesses facing data breach incidents.

Can you explain the difference between encryption verses hashing or tokens? What are the limitations of the hashing model?
Conceptually, they are three very different things with three very different purposes.

  1. Encryption is masking or hiding the data by changing the format so that it’s unreadable or indecipherable unless you have the means to decrypt it, so the data remains in place but gets scrambled or hidden. In a situation like a hospital where the organization needs to hold onto the data, this is the obvious method.
  2. Tokenization is a process where you’re trying not to possess the data, as with merchants who use credit card numbers, so instead of encrypting the information you store it away and assign it a key—think of it as a safe deposit box.
  3. Hashing means taking the information and running it through a mathematical formula or algorithm. There are different algorithms for different types of hashing, but whether it’s a single Social Security number or your name or the Gutenberg bible you’re hashing, you will end up with a unique code of numbers to represent the data. As with tokenization, the company doesn’t need to hold the data. The biggest limitation of hashing is that there are certain types of data that shouldn’t be hashed—especially if it’s data you need to access regularly. Data with finite values such as Social Security numbers shouldn’t be hashed because hackers have already created rainbow tables of all of the possible combinations. Another problem we see is that people who use hashing don’t always purge the system of non-hashed data.

Why would some companies choose to use hashing rather than encrypt their data at rest?
Hashing is a cheaper method, and encrypting data is challenging. You can’t just encrypt something and leave it at that. You have to take care of the keys—the term is “key management.” Otherwise, hackers can crack in to the keys, basically giving them access to the bank. The other issue is that encryption is changing over time—methods from ten years ago are now unsafe so if you’re encrypting data you need to keep track of how old it is. Finally, securely encrypting data in databases that are constantly in use is a significant technological challenge.

One benefit of encryption usage is that, should you have a future data breach incident, the data (in theory) is useless to the bad guy and therefore still protected. At the same time, it gives you legal “safe harbor” and license not to report the breach incident. Can the same argument be made for hashing/tokens?
It’s not the same argument. Of the methods, only encryption will help you avoid the state notification laws in a data breach situation. The other issue with tokenizing is that you still have to protect the whole token system under the credit card industry regulations so it’s not a simple alternative to encryption or the cheap panacea people thought it might be.

What else might executives need to know about their data security?
In an era of shrinking budgets and personnel cuts, it’s easy to tell the CEO that the company is encrypting data or using “encryption-like” techniques. The executive needs to ask the hard questions, about what type of encryption is being used because the IT folks might not understand the legal issues at hand. The decision of whether to use tokenization or hashing or encryption is not just a technical or cost issue—it’s very much a legal issue, so it’s a good idea to have counsel involved. The legal reasons for the method you choose may ultimately outweigh the cost.

In conclusion …
Going forward, many companies are actively trying to comply with various state and federal regulations to reasonably safeguard the private customer data in their care, custody and control. Unfortunately, it has been our experience that encryption—especially for data at rest—is one of the most challenging areas of data security for most of our clients. Proper encryption—in email, online transactions, backup tapes, laptops and corporate databases—is only deployed by a minority of companies (less than 10 percent), for many of the reasons that Mr. Krone mentioned. The truth is, IT budgets and technological barriers get in the way and clients often avoid best practices and pursue more cost-effective alternatives.

The Lowdown on Healthcare Data Breaches

A Q&A with Michael Bruemmer of Experian
Healthcare is one of the single biggest areas for data breach and identity fraud, yet many people still don’t understand the gravity of the risks facing companies and consumers. To get a better handle on the specific risks and how organizations can better protect themselves, I spoke with Michael Bruemmer, VP of Data Breach Resolution at Experian.

What are some of the challenges in healthcare in regard to data breaches right now?
I think there are three big ones: First is HIPAA and HITECH, which have really put pressure on industry. For the most part, healthcare entities, particularly individual doctors and smaller hospitals, would carry on with paper records if they were not pushed to digitize. So it has created a lot of pressure to not only get those records in order, but to make them accessible. All of this has made for challenges with regards to protecting medical records from data breaches. Number two is that the use of those records is not a single handoff—there are multiple exchanges between the patient, the provider, the processor of the payments and the insurance companies involved, so it’s a complex system. Consulting an attorney who can help you better understand these laws is a good idea. Under the law, whether you’re a covered entity or business associate you have to take the same level of care in handling those records, including business records and actual medical records like x-rays and blood work. The third thing is employee training. Employee negligence is still a leading cause of data breaches in the United States. Given the fact that some large hospitals employ upwards of 15,000 to 20,000 people, this means dealing with large networks for training, not to mention policy and enforcement of the training.

What makes a healthcare data breach different from a data breach in another industry?
I touched on HITECH and HIPAA in the first question, but the laws we are operating under now were created in August 2009. We’re still waiting for the final rule to be published, so that puts us in a unique position. There are requirements to protect information from a security and compliance perspective and companies also have to have a data breach response plan in place, and not only for what is called the covered entity but also for any subcontractors or vendors they use. There are 46 different state laws for notification in the case of a healthcare data breach, with varying requirements. California is the most stringent, for instance, and they require that you have to notify consumers within five business days. In most of the other states it’s 60 days. If you’re a healthcare entity you have to have a compliance officer privacy officer who knows these laws and knows how to protect all of the health records and information.

What are some of the recommendations you would make to healthcare entities in preparation for a data breach?
First of all, gain an understanding of the law by speaking with an attorney who specializes in healthcare law. These days, you’ve got to have a deep understanding of HIPAA and HITECH. Second is to invest in the security compliance, starting with the planning and training of your organization and the people related to the laws and those requirements. Included in that investment—I really focus on this one—is that you actually have to practice your data breach response plan like it’s a fire drill so that people know what to do and everything is coordinated the way it should be. The third thing is making sure you have independent professionals on the team such as outside legal counseling, a forensic specialist to track the source of the breach, and a notification call center.

How real is Medical Identity theft?
A 2011 study from the Ponemon Institute quotes the annual economic impact of medical identity theft at $30.9 billion. A year earlier, Ponemon found that 1.42 million people were impacted by medical identity theft. Medical or healthcare ID theft represents 40 percent of all data breaches that have been published. On the black market sites where you can buy and sell identities, a Social Security number costs one or two dollars, whereas someone’s full identity, including medical insurance and other medical information, is worth about 50 dollars. The value is in being able to use the services. And the people who are trading this information are getting more money for medical information.

What types of things can happen to victims of Medical Identity theft?
If someone steals your medical identity, the financial impact takes a while to clean up, but that’s not the worst of it. It can literally be a life and death risk. Let’s say you’re a hemophiliac and someone steals your medical information and gets services provided to them, including an operation where they are given blood thinners. That gets put into the records. So then you come in needing a surgery and they give you a blood thinner and you end up having huge complications. You could also have denial of service if someone stole your medical ID—if you go to the emergency room and they see flags on your account from other providers, they can’t deny you that immediate coverage but they could deny you some services because you have unpaid bills that someone rang up on your behalf. That’s not even counting the costs: If you accept the numbers from the Ponemon Institute study, billions of dollars of medical identity theft trickle down to consumers who have to cover the costs of insurance. Medical Identity theft is a very real and significant problem.

In conclusion…
NetDiligence recently conducted its second annual Cyber Liability & Data Breach Insurance ClaimsCyber Liability & Data Breach Insurance Claims study, which again reinforced that the healthcare sector is incurring a large number of data breach incidents and cyber liability insurance claims for same. Mr. Bruemmer did a nice job of summarizing some of the many risk exposures we see facing our customers in this sector, such as strict and changing state and federal privacy laws; emerging e-health record sharing platforms that increase opportunities for events; and causes of loss such as vendor and business associate mishaps, as well as negligent employees.

Making Cyberspace Accessible to Americans with Disabilities

A Q&A with Tim Springer, CEO of SSB BART Group
Section 508 of the U.S. Rehabilitation Act covers access to electronic and information technology for people with disabilities, and it concerns companies receiving federal funds or contracts. Though accessibility portions of this act were established in 1998, many companies are still uncertain about the guidelines and how they differ from the standards outlined in the Americans with Disabilities Act (ADA). To clear up some of the confusion, I spoke with Tim Springer, CEO of SSB BART Group, about accessibility issues and their significance for risk managers.

What is 508 Compliance?
Section 508 is a United States federal law that dictates that everything the federal government spends money on for information technology purposes has to be accessible or usable for people with disabilities. The law defines the terms and set of standards for what is “accessible” and “usable.” Basically, it breaks down into three components: technical standards which govern the code–these are normative requirements you can validate with a checklist; functional requirements that govern whether the system as a whole produces an accessible experience; and information documentation and support, which governs the experience around the system and whether the information, training and documentation is accessible.

What is ADA Compliance?
The ADA, or Americans with Disabilities Act, gives civil rights protection to individuals with disabilities. Under Title III, business and nonprofit service providers must provide effective and accessible public accommodations, which covers websites.

Why is accessibility for people with disabilities an important issue for risk managers?
Section 508 is important for anyone working in the public sector because it’s mandatory. If you don’t conform to the law there’s a complaint and resolution process. From a private sector standpoint, if you’re selling software to the public sector, those services will fall under 508. So if you want to keep selling your software to the federal government it needs to be compliant. If you’re in the private sector and you’re not dealing with the government, then you’re looking at ADA, which has more stringent requirements and the cases are more often enforced with litigation.

What are some of the penalties and liabilities for noncompliance?
Section 508 penalties can span from a mandate to change your system to full loss of a government contract if you’re noncompliant. There are generally no direct financial penalties under 508, unlike ADA. We don’t have many examples of contracts being lost—most are simply not getting awarded in the first place. For ADA, penalties can include legal fees, civil damages and mandates to fix things.

What steps can a company take to ensure compliance or remediate noncompliance?
In terms of ensuring compliance there are three broad activities we recommend. When we engage with a customer, we will start with an overall audit that tells them what’s wrong and what needs to be fixed. That’s become a best practice in the industry and most organizations start with that auditing function. The second component is implementation support, which includes active support throughout the development lifecycle and consultation around which requirements need to be addressed and how. Finally, we also cover the broader category of developing compliant policies and procedures, such as interacting with vendors.

Outside of that, there are other specific services we provide. When a government agency requires a Voluntary Product Accessibility Template we can help companies produce this document. When organizations do large-scale remediation we can add in remediating code directly. Typically our customers are larger enterprise enterprise-level healthcare, financial and software service companies. Our services require a lot of domain expertise, but we offer a turnkey solution that allows customers to continue these activities on their own once we train staff and get them up and running.

In conclusion …
Businesses that offer services online and have no physical storefront presence may be facing serious risk (see lawsuits) for not making their websites usable for people with disabilities. After all, most businesses would not build a building without a wheelchair ramp as they understand doing so would risk a massive lawsuit. The virtual equivalent is building an accessible site and one can easily see how ADA regulations will only grow in application to business as more services shift online.

 

No more posts.