Breach Readiness: Lessons from Zappos

Privacy Attorney Offers Tips for Improved Incident Response

By , February 7, 2012.
Breach Readiness: Lessons from Zappos

Francoise Gilbert of the IT Law Group won't give Zappos an "A" for how the online retailer reacted to its recent data breach affecting 24 million customers. The response included shutting off phone lines and denying customers outside the U.S. access to the site.

See Also: Identity, Security and Risk Requirements for a New IAM Architecture

Still, organizations can learn from the incident, she says, and there are steps they can take to better prepare themselves for a breach.

Plain and simple, organizations should already be prepared for a breach, Gilbert says. "It should not be an incident where suddenly it's Monday morning and we wake up and say, 'Oh my god, what should I do,'" she says in an interview with Information Security Media Group's Tom Field [transcript below].

According to Gilbert, the way Zappos handled the security breach is questionable. "There are some things, such as closing down the phone lines, that make us question whether there was any preparation for any type of security breach," Gilbert says [See: Zappos Breach Affects 24 Million].

For organizations looking to improve their response efforts, they need to ensure they've established an incident response plan, Gilbert explains. "It's time for companies to have a [plan], to be prepared to have organized their company, phone lines, forensics, to have established that relationship with the Secret Service, the FBI and so on," she says.

When it comes to breach notification, Gilbert suggests that companies include enough information to make customers feel at ease. Also, action items need to be included to point customers in the right direction about what to do now that the breach has happened. This item was "missing from the Zappos notice," Gilbert says. "There's not enough to tell customers what to do, what they should be doing to protect themselves."

During this interview, Gilbert discusses:

  • The tone and content of Zappos' breach notice;
  • Missteps the company took by shutting down its phone lines and web site;
  • Breach preparedness advice for organizations of all sizes.

Gilbert has extensive, in-depth experience with data privacy and security issues, Internet, eBusiness and information technology law. Her clients include numerous Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace, and e-business risks, develop and implement information privacy and security strategies and compliance programs, and integrate privacy and security in mergers & acquisitions, outsourcing, marketing, and other relations.

She regularly addresses a wide range of privacy and security issues, from HIPAA, COPPA or CAN SPAM compliance, to Security Breach Disclosure Laws, implementation of FTC or HIPAA Security Safeguards, US Department of Commerce Safe Harbor self-certification, or foreign data protection laws (Western Europe, North America, or Asia Pacific) and cross border data flow issues.

Zappos: Breach Response

TOM FIELD: Zappos has just announced its data breach that impacted 24 million customers. How do you gauge their breach-notification practice based upon what you've seen?

FRANCOISE GILBERT: Well, it depends on how you look at the issue. There are two issues to look at. One is, given the nature of the breach, I was surprised [because] was Zappos required to make their note of disclosure? Was it required by law to notify customers? Then number two, if Zappos was not required by law to notify customers and it opted to do so anyway, how did they handle that particular notice? Going back to my number-one question, did they have to do that? Was there a law that required them to do that? Based on what I see of what has been exposed or lost, it doesn't look like they would have an obligation to notify customers. From the press reports, it has e-mail addresses, names and shipping addresses; it doesn't reach the level of the requirement that we see in the data breach disclosure law.

So, Zappos probably didn't have to make this kind of notification. We have to give them credit for the fact that they did that because they made the decision that this is the right thing to do for our customers. We want to help our customers even though we're not legally required to do that.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Indian Banks Wary of Payment Card Risks

While the Indian finance ministry has announced incentives for banks to curb cash transactions and...

Latest Tweets and Mentions

ARTICLE Indian Banks Wary of Payment Card Risks

While the Indian finance ministry has announced incentives for banks to curb cash transactions and...

The ISMG Network