“It’s Been How Long!?” Best Practices for Communicating Notices Long Past a Cybersecurity Incident
Cybersecurity risks continue to generate anxiety for organizations around the world, regardless of industry, sector or size. In the U.S., entities affected by cyberattacks are required to send incident notifications by state and local law but, increasingly, the sophisticated and complex nature of cybersecurity incidents, forensics investigations and data mining processes have meant some notices are delivered several months to a year after the incident was first detected.[1]
For the impacted organization, these delays in providing notice can frustrate key stakeholder groups, generate regulatory scrutiny and increase potential litigation risk. Once the notice letters are mailed, affected individuals learning about an incident for the first time will often react with a mix of anger and confusion, and will levy a myriad of inquiries at the impacted organization. Fortunately, effective communications can help organizations to anticipate, mitigate and minimize the potential fallout with stakeholders.
Incident Response Communications At-A-Glance
There are several ways that impacted organizations can use communications to assist with managing stakeholder questions so that they can (finally) close the books on an incident.
Communications, in alignment with directives from legal counsel, can assist in lowering the temperature of such inquiries. It is critical to begin seeding messages with affected audiences near the beginning of an incident, explaining what happens behind the scenes to ensure the review process is done accurately and thoroughly and therefore, why it often takes months to complete. Such messages can blunt some of the questions about timing and alleviate pressure for the front-line teams responding to inquiries. Communicating with key stakeholders is not just a one-time activity – it must be a continuous process throughout the duration of an incident and subsequent investigation.
Communicating with stakeholders should take place in an orderly manner to show audiences that the organization has control over its response, a well thought out action plan, and is seeking to remedy the situation to the best of its abilities. Unfortunately, as the prevalence of cyber crime across the world continues, incidents will continue to affect even the most secure of organizations – and lengthy and methodical investigations and notification processes will follow on the heels of the actual triaging of the incident itself. However, with a thoughtful communications strategy, victimized organizations can minimize reputational risk and ultimately, maintain its valued relationships and stakeholder trust.
General Timeline for Incident Remediation and Recovery
For angered stakeholders who may not be fully cognizant of the standard timeline for an incident remediation and recovery, an understanding of the overall notification process may provide context around why notices could be sent months after an incident took place.
As a matter of process, once an incident is detected, a victim organization typically first engages third-party legal counsel, who in turn retain other external experts to assist in remediation and recovery. Only once these steps have been completed can data mining begin – an essential component in determining the size and scope of an incident and the data that may have been compromised. The data review process may vary incident-by-incident and typically remains ongoing without a firm or defined end date; the ambiguous nature of such an investigation can generate confusion among stakeholders who may not understand why further details are not available.
As the investigation continues beyond the initial incident response phase, legal counsel, external data mining firms and internal client teams must continue to coordinate data analysis efforts – a task which could involve sifting through terabytes of data to identify the information involved in the incident and to whom it belongs. Beyond this data review, there must also be an effort to synthesize and de-duplicate the information to determine the precise number of individuals with data affected in the incident; to determine if the information involved is considered protected health or personally identifiable information on a state-by-state basis; to procure a vendor for individual credit monitoring services, notice mailing and/or managing a call center, if applicable; to confirm addresses for letter recipients through the National Change of Address database; generating credit monitoring codes and preparing relevant instructions for those receiving notice letters; and, physically mailing notice letters, which sometimes must happen in multiple waves.
After all the above steps are completed, the victimized company is finally in a place where it is ready to notify affected individuals, mail notice letters, provide resources and – at last – seek closure after the incident. Yet, from this point on, stakeholder questions will likely accelerate, with inquiries such as why affected individuals hadn’t been notified earlier, and why the notification process took so long. Without vital context surrounding the investigation and data review process, stakeholders could become aggressive in questioning organizations that are trying to focus on recovery efforts and rebuilding trust.
All of these actions require a great deal of technical and communications expertise and logistical support – and will last several months.
In conclusion, a comprehensive communications plan is a critical building block in an organization’s incident response and recovery strategy. As cybersecurity incidents continue to proliferate around the globe, organizations ought to elevate their cybersecurity communications capabilities from within and proactively seek external expertise to help upskill in preparation for potential threats or to assist in response when crises hit.
Related Expertise
[1] “Which States Have Consumer Data Privacy Laws?”, Bloomberg Law (March 18, 2024) https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm. FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com |
