The dos and don'ts of data breaches

How security professionals can lessen the impact

DO communicate with and rely on other departments.

You don't want legal counsel involved to the point that they are combing through log files, but security professionals who alert other key departments — legal, compliance, human resources, public relations, marketing, and of course, the executive team — will put themselves on better footing if they alert key departments in the breach's early stages, rather than at a point that could be construed as after-the-fact.

What's more, security professionals should rely on all these resources for help in the case of a breach. "The security person shouldn't feel they own the responsibility of what steps to take for the company; they should leverage resources and collaborate," says Randy Barr, chief security officer (CSO) of WebEx, a conferencing and collaboration services provider that Cisco in March announced it plans to acquire. Because responding to a data breach is a multifaceted process that can include alerting customers, issuing press releases, dealing with regulators, and possibly even litigation, security professionals should leverage the resources available to them, he says. "Security is not 100 percent; you're in a race to protect yourself and your customer data. The biggest thing is not having to rely on your security program to address [all] the issues," Barr says.

DON'T go on the defensive.

"You need to keep an open mind," says an investigation manager with a financial services company who has been called in to help his company's partners deal with security incidents, and who asked that his name and his company's name not be used. "A lot of times these guys are walking into a boardroom with the CEO, COO, CIO, and head of IT, and all they're saying to themselves is, 'My job is going down the tubes,'" he says. "Go into it with an open attitude and spirit of cooperation, that's how you'll want to be perceived."

DO remember that it's not only your job that could be affected by a breach.

While some security professionals may believe it's best not to bother the executive team with details of an incident, those executives can be held accountable and, therefore, need to know what's happening. "While customers might be becoming a little more desensitized to data breaches [because they're in the news so often], CIOs are becoming a lot more sensitized," says Security Constructs' Bowers, who previously was senior manager of information security with Wyeth Pharmaceuticals. "That's what is driving money into security: More companies are saying we need to meet these privacy regulations because they could affect our stock price ... and bonuses."

DO be honest in communicating with the public, customers, employees, and partners.

How a company alerts people to a breach is the first step in rebuilding their confidence in the organization. Without giving away too many details, offer an honest assessment of what happened. If the company has no reason to believe the stolen data has been used by the criminal, state that, too.

DON'T go public until you know what happened.

If a company has to change its story about what happened — à la TJX — their credibility is instantly eroded. "You can cause panic sometimes," says the investigation manager. "TJX released information that wasn't necessarily true [about the extent of stolen information and when it was compromised] and caused the people who were working on that case trying to identify the extent of the breach to be sidetracked trying to answer the feeding frenzy in the media," he says. "They did exactly the wrong thing."