360° OF IT COMPLIANCE

Linda Varrell, APR Broadreach Public Relations Communicating a Breach with Confidence

Today’s Session Understand your responsibility when a breach occurs Dissect real life breach incidences Differentiate bad news from a crisis Compare various reporting requirements Walk-through the communication process Understand the value of message and audience Discuss monitoring options for reputation management Explore the components of an Emergency Communication Plan

2014 Year of the Breach 90% of all breaches according to FBI and law enforcement were avoidable!

Compliance vs. Stewardship

Dissecting a Major Breach HPS, a publicly traded company (NYSE: HPY), processes credit card transactions for 250,000 business including restaurants and small retail stores resulting in 100 million credit card transactions per month  January 20, 2009 Announced Systems Breach  Notified of Breach by Visa / MasterCard

On the Surface Described as the largest data breach ever at the time involving access devices – 100 million cards – 750 financial institutions Announced in media Customer debit / credit cards reissued Typical Card Information Breach…yes?

Audiences Affected Expected / Intended Cardholders Financial Institutions Business Partners Customers Competitors Unexpected / Unintended Sponsor (Visa) Legal (Attorney General) Government Regulators Industry Shareholders Employees

Taking a Deeper Look Visa removed them from list of preferred processors accusing them of weaknesses in their infrastructure The media publicly criticized Heartland for its cheap PR tactic (social media channels buzzed) Investors sued Heartland as stock price plummeted Rivals took advantage of situation by luring away their customers Formal inquiries by SEC, FTC, Treasury, OCC and Department of Justice Clients incurred losses

How a Breach Goes Wild Photo Credit:

Crisis vs. Bad News Bad news typically has the following components: – A triggering event – A VICTIM or VICTIMS of the event – There’s something UNUSUAL about the event True crises have all of these, plus one or more of the following: – The situation unfolds and expands over time – Parameters that exceed in-house capabilities – The incident prompts a deeper look by media and stakeholders beyond the simple coverage of the triggering event itself Used with Permission: ©2015 Reputation Strategies

So, there’s been a breach!

Know Your Responsibility Data breaches have become the new normal. It is everyone’s role to know their responsibility. Project Management Forensics Mitigation Reporting Communication Restoration Evaluation

Establish Your Team - Internal PM ITHRPRRISKLEGALOPS$$SALESSERVICE

Establish Your Team - External PM CounselPRInsuranceHR Search Law Enforcement MarketingCall CenterForensics

Identify Reporting Requirements Ask, what type of information was involved? Social Security Numbers Financial Account Numbers Driver’s License or Identification Numbers Medical, Health or Insurance Other Non-Protected High-Value Information (Intellectual Property)

Know your State’s Requirements Who must comply Definitions of “personal information” What constitutes a breach Requirements for notice Timing and/or method of notice Who must be notified Exemptions

Comply with the Highest Standard Maine Timing: Reasonable timeframe Threshold: Not specified Disclosure: Minimum Types: Not specified Credit Bureau: Press Release: Not specified Further Reporting: Bureau of Professional & Financial Regulation, Attorney General California Timing: Immediately upon discovery Threshold: 500 residents Disclosure: Full Types: Written, E-sign and Substitute, Statewide notice Credit Bureau: Press Release: 500 residents Further Reporting: Attorney General

Understand that HIPPA is Different Timing: No later than 60 days from discovery Threshold: Zero Disclosure: Full Types: Written (mail), , Substitute Credit Bureau: Required if SSN compromised Press Release: When 500+ residents affected Further Notification: FTC.gov, HHS.gov

Manage Consumer Expectations Be the first to tell YOUR story Accepting responsibility for situation Timely and clear notification Delivered in a manner appropriate with needs Highest degree of urgency based on scale Remediation and credit reporting provided free of charge

Research & Shape Your Message What happened over timeframe When did you know about it What information was at risk Who is involved Who was impacted Have there been losses What is being done about it How will you make people whole How will you ensure it won’t happen again Where can people go for information What advice are you providing to further protect consumers

Assess Audiences Who…? Needs to know or understand? Needs to be involved? Will be affected? Can provide advice? *Adapted from PRSA – Universal Accreditation Board Types…? Internal vs. External Primary vs. Secondary Known vs. Unknown

Focus on Critical Audiences Internal Teams Key partners and customers Regulators and reporting agencies Law enforcement Impacted parties Press, media and analysts Community

Control the Message Research Story Assessment Procedures Determine Team, Strategy, Tactics Prep key points/materials/activities Release/manage questions Monitor and Log Story continues to develop? 24

Channel the Message TraditionalSocial Talking PointsTagging & #hashtags Internal / IntranetWebsite landing pages Town Hall MeetingsLinkedin Groups Memos with “share” capabilities FAQsMultimedia Daily huddlesTwitter & Facebook Press ReleaseSocial Release Bylined ArticleBlog Post Quoted in ArticleCommenting on Article Broadcast SegmentYouTube Video Server FilesCloud Files Monday – Friday24/7

Evaluate your Reputation Reputation management is vital during a breach. Media Monitoring – Daily Google / Bing search – Read daily papers – Set up alerts – Review comments online – Review letters to editor Social Media Monitoring – Daily Facebook, Twitter, LinkedIn, etc. search – Set up monitoring in Hootsuite or social aggregator – Employ social listening team – Seek assistance for advanced automated monitoring

Evolve and Improve your Plan Did we follow our plan, or did we have to “wing it”? What was customer feedback and impact on sales and customer relationships? How were we treated, reflected in the press? Was the reporting accurate? How did our spokesperson(s) perform? What lessons did we learn? What needs to change with our communications? What can we do better next time?

Revisit your Communications Plan Identifies the HUMAN resources you need, and how to reach them Identifies the PHYSICAL resources you need, and how to access them Identifies the OUTSIDE resources you need, and how to mobilize them Identifies the MECHANISMS you need, and how to activate them Puts as many functions as possible on autopilot, so you can focus on decisions that MUST be made.

BRACE for a Data Breach Be the first to tell your story. Research facts & impacts thoroughly Assess audiences completely Communicate confidently and consistently Evaluate and evolve Be ready with a solid communication plan for any incident involving your organization.

Know your Resources Krebs on Security - Online Trust Alliance – Experian – x.html x.html passage-of-the-cisa passage-of-the-cisa technology/security-breach-notification-laws.aspx technology/security-breach-notification-laws.aspx &file= &file= &file= &file= notification-rule notification-rule

THANK YOU Linda Varrell, APR President | Founder (207) Let’s Connect 