Presentation is loading. Please wait.

Presentation is loading. Please wait.

360° OF IT COMPLIANCE. Linda Varrell, APR Broadreach Public Relations Communicating a Breach with Confidence.

Published byPhilip Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "360° OF IT COMPLIANCE. Linda Varrell, APR Broadreach Public Relations Communicating a Breach with Confidence."— Presentation transcript:

1 360° OF IT COMPLIANCE

2 Linda Varrell, APR Broadreach Public Relations lindav@broadreachpr.com Communicating a Breach with Confidence

3 Today’s Session Understand your responsibility when a breach occurs Dissect real life breach incidences Differentiate bad news from a crisis Compare various reporting requirements Walk-through the communication process Understand the value of message and audience Discuss monitoring options for reputation management Explore the components of an Emergency Communication Plan

4 2014 Year of the Breach 90% of all breaches according to FBI and law enforcement were avoidable!

5 Compliance vs. Stewardship

6 Dissecting a Major Breach HPS, a publicly traded company (NYSE: HPY), processes credit card transactions for 250,000 business including restaurants and small retail stores resulting in 100 million credit card transactions per month  January 20, 2009 Announced Systems Breach  Notified of Breach by Visa / MasterCard

7 On the Surface Described as the largest data breach ever at the time involving access devices – 100 million cards – 750 financial institutions Announced in media Customer debit / credit cards reissued Typical Card Information Breach…yes?

8 Audiences Affected Expected / Intended Cardholders Financial Institutions Business Partners Customers Competitors Unexpected / Unintended Sponsor (Visa) Legal (Attorney General) Government Regulators Industry Shareholders Employees

9 Taking a Deeper Look Visa removed them from list of preferred processors accusing them of weaknesses in their infrastructure The media publicly criticized Heartland for its cheap PR tactic (social media channels buzzed) Investors sued Heartland as stock price plummeted Rivals took advantage of situation by luring away their customers Formal inquiries by SEC, FTC, Treasury, OCC and Department of Justice Clients incurred losses

10 How a Breach Goes Wild Photo Credit: www.thehackernews

11 Crisis vs. Bad News Bad news typically has the following components: – A triggering event – A VICTIM or VICTIMS of the event – There’s something UNUSUAL about the event True crises have all of these, plus one or more of the following: – The situation unfolds and expands over time – Parameters that exceed in-house capabilities – The incident prompts a deeper look by media and stakeholders beyond the simple coverage of the triggering event itself Used with Permission: ©2015 Reputation Strategies

12 So, there’s been a breach!

13 Know Your Responsibility Data breaches have become the new normal. It is everyone’s role to know their responsibility. Project Management Forensics Mitigation Reporting Communication Restoration Evaluation

14 Establish Your Team - Internal PM ITHRPRRISKLEGALOPS$$SALESSERVICE

15 Establish Your Team - External PM CounselPRInsuranceHR Search Law Enforcement MarketingCall CenterForensics

16 Identify Reporting Requirements Ask, what type of information was involved? Social Security Numbers Financial Account Numbers Driver’s License or Identification Numbers Medical, Health or Insurance Other Non-Protected High-Value Information (Intellectual Property)

17 Know your State’s Requirements Who must comply Definitions of “personal information” What constitutes a breach Requirements for notice Timing and/or method of notice Who must be notified Exemptions

18 Comply with the Highest Standard Maine Timing: Reasonable timeframe Threshold: Not specified Disclosure: Minimum Types: Not specified Credit Bureau: 1000+ Press Release: Not specified Further Reporting: Bureau of Professional & Financial Regulation, Attorney General California Timing: Immediately upon discovery Threshold: 500 residents Disclosure: Full Types: Written, E-sign and Substitute, Statewide notice Credit Bureau: 1000+ Press Release: 500 residents Further Reporting: Attorney General

19 Understand that HIPPA is Different Timing: No later than 60 days from discovery Threshold: Zero Disclosure: Full Types: Written (mail), Email, Substitute Credit Bureau: Required if SSN compromised Press Release: When 500+ residents affected Further Notification: FTC.gov, HHS.gov

20 Manage Consumer Expectations Be the first to tell YOUR story Accepting responsibility for situation Timely and clear notification Delivered in a manner appropriate with needs Highest degree of urgency based on scale Remediation and credit reporting provided free of charge

21 Research & Shape Your Message What happened over timeframe When did you know about it What information was at risk Who is involved Who was impacted Have there been losses What is being done about it How will you make people whole How will you ensure it won’t happen again Where can people go for information What advice are you providing to further protect consumers

22 Assess Audiences Who…? Needs to know or understand? Needs to be involved? Will be affected? Can provide advice? *Adapted from PRSA – Universal Accreditation Board Types…? Internal vs. External Primary vs. Secondary Known vs. Unknown

23 Focus on Critical Audiences Internal Teams Key partners and customers Regulators and reporting agencies Law enforcement Impacted parties Press, media and analysts Community

24 Control the Message Research Story Assessment Procedures Determine Team, Strategy, Tactics Prep key points/materials/activities Release/manage questions Monitor and Log Story continues to develop? 24

25 Channel the Message TraditionalSocial Talking PointsTagging & #hashtags Internal Email / IntranetWebsite landing pages Town Hall MeetingsLinkedin Groups MemosEmail with “share” capabilities FAQsMultimedia Daily huddlesTwitter & Facebook Press ReleaseSocial Release Bylined ArticleBlog Post Quoted in ArticleCommenting on Article Broadcast SegmentYouTube Video Server FilesCloud Files Monday – Friday24/7

26 Evaluate your Reputation Reputation management is vital during a breach. Media Monitoring – Daily Google / Bing search – Read daily papers – Set up alerts – Review comments online – Review letters to editor Social Media Monitoring – Daily Facebook, Twitter, LinkedIn, etc. search – Set up monitoring in Hootsuite or social aggregator – Employ social listening team – Seek assistance for advanced automated monitoring

27 Evolve and Improve your Plan Did we follow our plan, or did we have to “wing it”? What was customer feedback and impact on sales and customer relationships? How were we treated, reflected in the press? Was the reporting accurate? How did our spokesperson(s) perform? What lessons did we learn? What needs to change with our communications? What can we do better next time?

28 Revisit your Communications Plan Identifies the HUMAN resources you need, and how to reach them Identifies the PHYSICAL resources you need, and how to access them Identifies the OUTSIDE resources you need, and how to mobilize them Identifies the MECHANISMS you need, and how to activate them Puts as many functions as possible on autopilot, so you can focus on decisions that MUST be made.

29 BRACE for a Data Breach Be the first to tell your story. Research facts & impacts thoroughly Assess audiences completely Communicate confidently and consistently Evaluate and evolve Be ready with a solid communication plan for any incident involving your organization.

30 Know your Resources Krebs on Security - http://www.krebsonsecurity.com/http://www.krebsonsecurity.com/ Online Trust Alliance – https://OTAlliance.org/breachhttps://OTAlliance.org/breach Experian – https://Experian.com/DataBreachhttps://Experian.com/DataBreach http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/inde x.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/inde x.html http://www.securityinfowatch.com/article/12132882/the-impact-of-the-senates- passage-of-the-cisa http://www.securityinfowatch.com/article/12132882/the-impact-of-the-senates- passage-of-the-cisa http://www.ncsl.org/research/telecommunications-and-information- technology/security-breach-notification-laws.aspx http://www.ncsl.org/research/telecommunications-and-information- technology/security-breach-notification-laws.aspx http://legislature.maine.gov/statutes/10/title10sec1348.html http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001- 02000&file=1798.80-1798.84 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001- 02000&file=1798.80-1798.84 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001- 02000&file=1798.25-1798.29 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001- 02000&file=1798.25-1798.29 https://www.ftc.gov/tips-advice/business-center/guidance/health-breach- notification-rule https://www.ftc.gov/tips-advice/business-center/guidance/health-breach- notification-rule

31 THANK YOU Linda Varrell, APR President | Founder lindav@broadreachpr.com (207)-619-7350 Let’s Connect 

Download ppt "360° OF IT COMPLIANCE. Linda Varrell, APR Broadreach Public Relations Communicating a Breach with Confidence."

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Freshfields Bruckhaus Deringer LLP Global investigations What to advise your board Marius Berenbrok Edward Braham Matthew Herman Melissa Thomas 29 February.

Freshfields Bruckhaus Deringer LLP Global investigations What to advise your board Marius Berenbrok Edward Braham Matthew Herman Melissa Thomas 29 February.
Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.

Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Four-Step Process of Public Relations

Four-Step Process of Public Relations
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Chapter 3 Organizational Environments and Culture

Chapter 3 Organizational Environments and Culture
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Password District Data Breach Exercise [District Name] [Date] [Logo]

Password District Data Breach Exercise [District Name] [Date] [Logo]
Public Affairs Management

Public Affairs Management
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
CRISIS COMMUNICATIONS PLANNING A rehearsal for crisis Planning is key.

CRISIS COMMUNICATIONS PLANNING A rehearsal for crisis Planning is key.
Top Objectives: 1.Increase web traffic and exposure 2.Become definitive authority on Coffee 3.Increase sales to coffee centric Food Service Operators 4.Engage.

Top Objectives: 1.Increase web traffic and exposure 2.Become definitive authority on Coffee 3.Increase sales to coffee centric Food Service Operators 4.Engage.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Preventing and Managing a Crisis. Overview This session will cover how to: Develop a crisis communications plan Prevent crises Prepare for crises Implement.

Preventing and Managing a Crisis. Overview This session will cover how to: Develop a crisis communications plan Prevent crises Prepare for crises Implement.
DC Women's Business Center Sponsored by: U.S. Small Business Administration Operated by: Business at the Next Level: Starting and Growing Your Business.

DC Women's Business Center Sponsored by: U.S. Small Business Administration Operated by: Business at the Next Level: Starting and Growing Your Business.
FDA Recalls Risk Communication Advisory Committee David K. Elder Director, Office of Enforcement.

FDA Recalls Risk Communication Advisory Committee David K. Elder Director, Office of Enforcement.
Social Media & the Law Video 4 Social Media Training for Business Teachers #socialmedialaw.

Social Media & the Law Video 4 Social Media Training for Business Teachers #socialmedialaw.

Similar presentations

Ads by Google