Our last post of this series examined in detail the parties that you need to notify in case your business has been impacted by a cyber-attack. Specifically the following groups were reviewed:
1. Law enforcement;
2. Contact the major credit reporting companies;
3. Notify your customers;
4. Notify both internal and external stakeholders of your organization.
This is our final post of this series and we take a look at how the above impacted parties should be notified about the security breach.
The Notification Process
In most cases you will likely send out some sort of letter to all of the affected parties.
Remember, the loss of personal information and data is a very serious issue, and the effects of it can impact people in different ways.
Therefore very careful thought and consideration needs to be given as to how the letter should be drafted. It’s important that you take your time in doing this and have your incident response team look it over carefully.
The model letter below exemplifies how information should be communicated to all of the impacted parties.
It has been crafted for those security breaches in which social security, credit card numbers, banking information, etc. have been stolen.
The Model Letter
Dear [Name of Contact]:
“We are contacting you about a security breach that has occurred at our business, [Insert Name of Your Business].”
Describe What Happened:
> Describe the security breach;
> Discuss how it happened;
> How the stolen information/data has been misused.
What Kinds of Personal Information were involved:
“The security incident involved your personal information being stolen [describe the exact nature of the personal information that was stolen]”.
What We Are Doing:
> Discuss how you are handling the security breach;
> What is being done to rectify the situation;
> What is being done to protect those customers or others that have been impacted;
> What service are being offered to the impacted parties (such as free credit monitoring or identity theft protection.
What the Impacted Individual Can Do:
> Tell them that they should put a fraud alert on their credit report;
> Provide the contact information for the three credit reporting agencies (Equifax, Experian, and TransUnion) NOTE: The contact information for these three agencies was provided in the last blog.
> Have them request that they should get these credit reports from all three agencies and stress the importance of having review these credit reports carefully for any kind or type of fraudulent activity.
> Also recommend that these credit reports should be checked on frequent basis (perhaps once every three months) for fraudulent activity. Remind them that identity theft does not occur immediately, but rather over a long period of time, when they least expect it to happen. Thus, the importance of checking these credit reports on a regular basis.
> Tell them that if they find any fraudulent activity, that they should file a police report immediately. This will be needed in order to clear up any fraudulent debts.
> Apart from getting the credit reports and filing a report with local law enforcement, also include a statement about also reporting this to the FTC, and to file an identity theft complaint as well. This will complaint will be added to the FTC’s “Consumer Sentinel Network” and this is accessible to all law enforcement agencies, at the Federal, State, and Local levels.
> Finally, advise the impacted individual that they should put a credit freeze on their credit files (this can be done also by contacting the three credit reporting agencies). This way, an identity thief cannot open any new accounts under their name.
Make sure to include a copy of “Identity Theft: A Recovery Plan”, which is available from the FTC.
> This final part of the letter should include all of your relevant contact information, so that the impacted individual can reach you in case they have other questions or concerns.
The above model letter is only a representation of what possibly should be included. Remember, the exact content of it will depend upon the type of security breach that occurred, and what exactly was hijacked. Apart from having your incident response team review the final draft before it is sent out, it would also be a very good idea to have your attorney review it as well to make sure that all legal grounds have been covered in it.
Although it is important to notify the impacted parties in time, it is equally important to be responsive for any phone calls or emails that you may receive. You want to show your customers that you do indeed care about what has happened to them, and within reason, you want to do everything you can to help them overcome this situation. Being a business owner, any sign of unresponsiveness on your part will simply destroy your brand image.
Our next blog will examine the use of Virtual Private Networks to fortify the lines of defense at your business.