The Breach: Final Chapter
Why Does The Attorney General of North Carolina Care About Our Data Breach?
Our Data Breach Coaches had filed the necessary communications with several state Attorney Generals. We were advised that most states would acknowledge, and it would end there. However, the Attorney General’s Office in North Carolina reached out and requested more information. This was surprising to me, as I didn’t know how to respond or why they would be asking for more details. Fortunately, our Data Breach Coach fielded the request, and we had a call to discuss the strategy of how to respond. Our response was most reassuring that we had taken the necessary measures to prevent an issue like this from happening again. This was just another point, where had we not engaged the right people, we would have had no idea the reporting requirement existed and/or how to respond to requests for more information. As I learned, each state has different reporting requirements, and North Carolina was not the last state to request more information.
Credit Monitoring, Makes Sense
After two months, we were rounding the home stretch of our incident response. The final piece was to figure out how to protect the impacted individuals from any potential damages. Our Data Breach Coach asked us how we wanted to proceed. (Let’s pause for a second, this is a common theme throughout the process. At various points, third parties who had expertise in a subject matter would ask us our thoughts on how we’d like to proceed. We wanted guidance from the experts in areas we needed; I thought it strange we were asked this, rather than just presented options, back to the story) Obviously, we didn’t know how to respond, so we asked for options.
As a sign of “goodwill,” they suggested offering everyone credit monitoring for two years. That seemed reasonable to us. So they referred us to a national brand that provides these services. During our first call, they offered credit monitoring, explained the process. All of which was acceptable, but then they started talking about setting up a call center, handling questions by the impacted individuals, printing notification letters, and lots of other services. All of which sounded like a great idea had the scope of our incident warranted. However, our situation was so small that it seemed like overkill and yet another way to spend the Company’s money needlessly. So, we set up the necessary processes with internal staff, contracted to offer the credit monitored, and sent out the notification letters. Materially, the incident response was effectively over.
You Want A Detailed Recap Of The Breach Response. Are You Sure?
Finally, after all notification requirements were handled, credit monitoring handed out, and all inquiries were answered, we had a chance to exhale a bit. The incident could have been much, much worse. But we’d made it through. After thinking about it, I realized I didn’t have a formal recap of our response from our Data Breach Coach. I thought, should any inquiries be going forward about how we responded, I should have something to prove that we satisfied all the legal requirements and acted ethically. So, I launched a call to our Data Breach Coach. Out of everything we experienced, this final chapter is something that surprised me the most. After a few days, the Data Breach called me back and acknowledged my request.
Here is our dialog:
Data Breach Coach: What do you want a formal recap of all the activity that occurred on your behalf in responding to this incident?
Me: “Yes, I do; I want to be able to produce some formal documentation of how we responded to our incident in the event it is needed in the future.”
Data Breach Coach: “Are you sure you want this?”
Me: “Yes, I’m sure.”
Data Breach Coach: “Are you really sure?”
Me: “Rather than ask me if I really want it, can you just tell me why you are asking if I want it?”
Data Breach Coach: “If we produced it, it becomes a legally discoverable document, which might not be in your best interest, should future legal action be taken against you and your Company.”
Me: “So, let me get this straight, we spent three months and 250K responding to this incident. We dotted every ‘i’ and crossed every ‘t.’, But it’s not in our best interest to have a formal recap of the actions taken, to prove that we handled the incident in accordance with all the requirements?”
Data Breach Coach: “We can add a high-level summary to your file, should you need it, you can call our office, and we’ll produce it, but having a detailed document isn’t in your best interest.”
Me: “Ok, if that’s what you think is best, then I guess I don’t want it.”
This last interaction left me a little dumbfounded. But in hindsight, I should have expected it. The whole experience was foreign to the Company and me. In the end, we spent our entire amount afforded to use by our insurance coverage to respond to this incident for the potential loss of 250 records. During the initial days, there was lots of confusion, unknowns, and decisions that needed to be made. We didn’t always make the right ones, but we did have enough presence of mind to slow the situation down, get as data as we could, and make informed decisions.
I’m hopeful that our story can help, inform or at least mildly entertain anyone reading.
About the Author:
This blog was written by John Hensberger, Managing Partner of Black Bottle IT. Earlier in his career, John was also part of a company that experienced a cybersecurity breach. That experience fueled his passion for assisting other companies with their cybersecurity needs to mitigate their risk. As Technology Executive and Cybersecurity Advisor, John was recognized as the Pittsburgh CIO of the Year, 2014. Connect with John here.