Zappos Breach Notice: Lessons Learned

Privacy Attorney Offers Mixed Reviews of Retailer's Incident Response

Francoise Gilbert of the IT Law Group won't give Zappos an "A" for how the online retailer reacted to its recent data breach affecting 24 million customers. The response included shutting off phone lines and denying customers outside the U.S. access to the site.

Still, organizations can learn from the incident, she says, and there are steps they can take to better prepare themselves for a breach.

Plain and simple, organizations should already be prepared for a breach, Gilbert says. "It should not be an incident where suddenly it's Monday morning and we wake up and say, 'Oh my god, what should I do,'" she says in an interview with Information Security Media Group's Tom Field [transcript below].

According to Gilbert, the way Zappos handled the security breach is questionable. "There are some things, such as closing down the phone lines, that make us question whether there was any preparation for any type of security breach," Gilbert says [See: Zappos Breach Affects 24 Million].

For organizations looking to improve their response efforts, they need to ensure they've established an incident response plan, Gilbert explains. "It's time for companies to have a [plan], to be prepared to have organized their company, phone lines, forensics, to have established that relationship with the Secret Service, the FBI and so on," she says.

When it comes to breach notification, Gilbert suggests that companies include enough information to make customers feel at ease. Also, action items need to be included to point customers in the right direction about what to do now that the breach has happened. This item was "missing from the Zappos notice," Gilbert says. "There's not enough to tell customers what to do, what they should be doing to protect themselves."

During this interview, Gilbert discusses:

  • The tone and content of Zappos' breach notice;
  • Missteps the company took by shutting down its phone lines and web site;
  • Breach preparedness advice for organizations of all sizes.

Gilbert has extensive, in-depth experience with data privacy and security issues, Internet, eBusiness and information technology law. Her clients include numerous Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace, and e-business risks, develop and implement information privacy and security strategies and compliance programs, and integrate privacy and security in mergers & acquisitions, outsourcing, marketing, and other relations.

She regularly addresses a wide range of privacy and security issues, from HIPAA, COPPA or CAN SPAM compliance, to Security Breach Disclosure Laws, implementation of FTC or HIPAA Security Safeguards, US Department of Commerce Safe Harbor self-certification, or foreign data protection laws (Western Europe, North America, or Asia Pacific) and cross border data flow issues.

Zappos: Breach Response

TOM FIELD: Zappos has just announced its data breach that impacted 24 million customers. How do you gauge their breach-notification practice based upon what you've seen?

FRANCOISE GILBERT: Well, it depends on how you look at the issue. There are two issues to look at. One is, given the nature of the breach, I was surprised [because] was Zappos required to make their note of disclosure? Was it required by law to notify customers? Then number two, if Zappos was not required by law to notify customers and it opted to do so anyway, how did they handle that particular notice? Going back to my number-one question, did they have to do that? Was there a law that required them to do that? Based on what I see of what has been exposed or lost, it doesn't look like they would have an obligation to notify customers. From the press reports, it has e-mail addresses, names and shipping addresses; it doesn't reach the level of the requirement that we see in the data breach disclosure law.

So, Zappos probably didn't have to make this kind of notification. We have to give them credit for the fact that they did that because they made the decision that this is the right thing to do for our customers. We want to help our customers even though we're not legally required to do that.

Then the next question is, given that they did that not because they were required to but because they thought it was the right thing, how did they handle the situation? Then maybe we can criticize the way that some of the aspects of their notice or the way they were handling the customers is a bit awkward, but remember that this is not one of the major types of security breach. It's more of a minor type of security breach because according to law, it didn't use credit card numbers. It didn't use driver's license numbers.

FIELD: If I may just follow-up on that. Do you think we're entering an era perhaps where even if there's not a legal obligation for a company to notify customers in the event of a breach, that there's sort of a moral obligation from a company to the customers to let them know that something has happened that could expose them even to phishing?

GILBERT: I think we're entering this type of era. This is something that started last year in 2011 when Epsilon encountered a situation very similar to that where Epsilon was hacked and e-mail addresses and names were disclosed, were taken away by the hackers, and Epsilon made the decision to notify the public or its own clients that there has been a problem. Epsilon didn't have to do that. The breach that they had was not one that was covered by the data breach disclosure laws, but they did that. They did the right thing and I think this was a very important moment in the history of security breaches because Epsilon said this is the right thing to do.

I think there should be more companies doing that and probably Zappos acted in the same state of mind. So yes, the world is changing.

Breach Notification

FIELD: We'll credit Zappos for stepping up and notifying customers whether they did or didn't have to legally. Let's talk about some of what we've seen just because this will be a lesson for other organizations. As you read the breach notification to the customers, how were you struck by the tone that seemed at times to be sort of informal?

GILBERT: It's a good thing. It's a good thing, the tone being informal. One of the issues in security breaches is that the average Joe gets a heart attack each time [he/she] opens the letter, and people are very concerned and the man on the street does not understand this thing and gets scared, excited, and has emotional distress and all that stuff. One of the important things when we do a notification letter is to make people feel good. This is not the happiest day in your life, but you have to be communicating with them in a way that shows them that you're in charge, that it's not the end of the world. We're taking care of you. This is what's happening and we're going to help you do something. We're going to work together in going through with this. The casual tone is not necessarily a bad thing. You want to communicate with your customer in a way that makes them feel good and not scared.

FIELD: There were few details offered in this notification and one says we didn't learn how the breach might have occurred. Zappos said that there's an exhaustive investigation, we don't know by whom. Do you feel there's an appropriate amount of detail here or some items that Zappos should have addressed?

GILBERT: Again, that's a difficult question. As the customer you would want to know every single detail, but at the same time you have to think about the security aspect because there are hackers somewhere who have done that. I'm sure that they would love to know how much Zappos knows about the hack and how much the police or the FBI or the U.S. Secret Service know, and you can't tell them. When you write a notification letter, you can't give away all the information that you have because that would be putting the whole thing in jeopardy. You have to be very careful on how much you say to a customer because this is going to be public information. In the Zappos case it has been posted on their website. You have to balance how much you say to the customer and how much you decide you keep secret for the professional security.

Response: Positives and Negatives

FIELD: Now Zappos took a couple of I'd say extraordinary steps here. One, they expired their customers' login information so they would have to go back in and register again and have new information. They also shut down their phone lines and shut down access to parts of the site from outside of the U.S. How do you feel about these steps that they took?

GILBERT: That's more questionable. I would not give them an "A" on this one. I understand why they did that because they were overwhelmed, but that's not appropriate for a company of that size. Zappos is not a start-up. When you have a start-up and a start-up gets surprised by an event, you can say they didn't know, but Zappos is a mature company. They have been in business for 12 years. They're an Amazon subsidiary so they have behind them a very competent company and they should not be overwhelmed because they're expecting 24 million phone calls. That's the black eye; that's a bad thing. There are companies who could help them and as a company, they should have thought of incident-response situations and one of these things that you get done when you prepare your response to an incident is to plan how you're going to communicate with your customers. In this case, shutting down the line definitely is not the appropriate situation. And I should say I'm currently speaking with you from Europe and I've tried to look at anything related to Zappos and it's impossible. The Zappos website is locked and we don't get anything. If you do Zappos.com from here in Europe you get a blank page and it says, "Sorry we're doing some maintenance." That's not good.

FIELD: What would you say that we've learned both positive and negative from the immediate breach response to this incident?

GILBERT: The good thing we've learned is that breaches of security that affect other than the elements that are listed in all of the security breach laws are also breaches that companies have to take seriously and they should, in certain circumstances, give notifications to their customers even if they have not lost the credit-card information or the driver's license information. That's the positive and the most important thing for companies to learn. Now from the pure breach-disclosure standpoint, there are two very important things to remember. Number one, security is very important and so you should have a good security plan. You should have good security measures; you should enforce them. You should be very careful about your security and in this case we don't know yet, but there may be questions about the nature of the security.

Number two, security breaches exist. The laws have been in existence now for almost ten years and we can assume it's time for companies to have an incident response plan to be prepared to have organized their company, to organize the phone lines, to have organized the forensics, to have established that relationship with the Secret Service, the FBI and so on. They should be prepared. It should not be an incident where suddenly it's Monday morning and we wake up and say, "Oh my god, what should I do?" There are too many companies who are just ignoring their preparation movement for handling a security breach and Zappos may be an example of that. There are some things, such as closing down the phone lines, that make us question whether there was any preparation for any type of security breach. How would they have handled the same breach if they had lost credit cards? Would they also shut down their website?

Lessons Learned

FIELD: Again, talking about lessons learned from other organizations, what would you tell them is most important to include in breach notification, in notifying your customers of an incident?

GILBERT: Include enough information to give your customers a good feeling that you're in control, and of course you're not going to lie but the customer needs to know that you're in control and you're going to do something and you're going to help. Number two, something that's missing from the Zappos notice is there's not enough to tell customers what to do, what they should be doing to protect themselves. Give them a website. Go visit the website of the Federal Trade Commission on how to handle a breach. Go educate yourself about why this is important and why you should be paying attention. You should educate your customers and that's missing in the Zappos notice. The person who issued that has never issued a breach before and is not a security professional. It's going to say "Oh my god. What do I do?" In this particular case, the issue of the password, you should explain to people why it's important that they change their password on other sites. So educating more your customers - the best thing you can do with your customers is educate them so that they help you.

FIELD: We've learned certainly from the past year that organizations of all sizes are at risk for breaches. What advice would you offer to organizations based upon what we've seen here that they should do to acknowledge and mitigate their risks?

GILBERT: They should be as quick as possible to react to a breach. They should be prepared ahead of time to handle a breach. They should pay attention to their security measures. They should pay attention to what their employees are doing, because in most of these cases the breaches occur because of an employee mistake. It's too easy to blame the hackers. Hackers get in companies because the security is poor. Pay attention to your security. Pay attention to what's happening to your company and then if you see a breach, react as soon as possible. Work with your customers; you should be a team. Your customers are part of the solution and you should work with them and keep good contact with them.





Around the Network