Breach Lessons from the Trenches
Experian's Michael Bruemmer on Preparedness, Response and Rebuilding TrustThree trends that Bruemmer sees in major breaches that have been reported: Payment card data is the primary target; the vast majority of incidents are still a result of human error; and several of the major breaches were reported by the news media before the forensics investigations even were complete.
That latter point exposes a significant lesson learned from recent breaches: "There needs to be a pre-breach plan in place that contemplates the fact that, if someone in the media gets hold of information that should not be announced until forensics is completed, the organization needs to have a plan in place to [account] for that," Bruemmer says. "In the [incidents] I mentioned, some of them have not had a plan, and you've seen them look flat-footed in the media when it's announced before they were ready."
In an interview about lessons learned from breach investigations, Bruemmer discusses:- Breach trends by industry;
- The role of cyber insurers;
- How to rebuild customer trust after a breach.
Bruemmer is Vice President, Experian® Data Breach Resolution at Experian Consumer Services, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
Incident Types
TOM FIELD: What do you find different about the types of incidents that you're investigating this year as opposed to last year?
MICHAEL BRUEMMER: If I look back so far this year, I see three things that are different about high profile breach incidents. First, three or four of the largest ones have been exposed by the media before the forensics' phase was complete. Second, the most information that was exposed from a sensitive standpoint was credit card user name and password, not necessarily social security number. And then third, unfortunately 85 percent of the root cause as reported publicly is still human error and I'm surprised that hasn't gone down in 2014.
Public Exposure
FIELD: Do you find that these are being exposed publicly before the organizations are even prepared to answer questions about them?
BRUEMMER: From what we've seen how organizations come out in the media, I would say absolutely. There needs to be a pre-breach plan in place that contemplates the fact that if someone in the media gets ahold of information that should not be announced until forensics is completed, the corporation or the organization needs to have a plan in place to accomplish that. The ones that I mentioned, some of them have actually not had a plan and you've seen them look flat-footed in the media when it's announced before they were ready.
Key Lessons
FIELD: So when you look at some of these incidents, what do you see as the key lessons that we can draw from them?
BRUEMMER: Well, as we saw in our recent e-book titled "Lessons from the Trenches," first is: No one or no organization is immune to a data breach. Second, by doing that complete forensics investigation first, some firms find they don't have to notify after a major initial worry or in the case of having to notify, they are well prepared with all the complete information. And then third, as recent data has shown, the number one issue for data breach response is still rebuilding the trust with your consumers, your patients, employees, or shareholders, whoever is part of that effected class.
Sector Trends
FIELD: What are the trends that you're seeing within specific industry sectors in terms of breaches?
BRUEMMER: Well, in the past two years, the healthcare sector still is the number one in terms of actual incidents announced and effected population in terms of size of the actual breach itself. Retail is still strong, and that's led by some of the activity early in the year. And then rounding out the top four are e-commerce, with some of the large payment folks that have been effected this year. Then finally, as we saw this week, the public sector in the case of Butler in Montana over the first six months of this year.
Communicating to Effected Parties
FIELD: What have we learned about communicating to effected parties after a breach?
BRUEMMER: Well with consumers suffering from breach fatigue, we had showed last year that at least one in three people have received a data breach notification. And quite frankly I actually read something this morning that said in a survey, almost 46 percent of the people so far this year that we're surveyed have received a breach notification, which puts that number even higher. So clear communication in the notification is essential. What happened in taking full responsibility for that issue? Two, how did the breach impact the effected party as an individual? And then three, what steps are the organizations instructing the people to do to protect themselves for fraud or identity theft going forward?
Cyber Insurance
FIELD: What do you see as the emerging role of the cyber insurer after a breach?
BRUEMMER: The cyber insurers that we work with have tremendous resources. They can help organizations build a response plan. They can bring in that third-party expertise such as legal, forensics, notification, credit monitoring to name a few. The top firms that we work with provide a turn-key solution usually with a very experienced breach coach managing the entire response and coordinate both the inside and third parties on the team. And these cyber insurers are getting much better because of the rate of breaches we see about over 30 percent of the events that we work have a cyber-insurer involved.
Rebuilding Customer Trust
FIELD: What do you see as some of the key do's and don'ts related to rebuilding trust with customers?
BRUEMMER: Well, Tom, on the do side, first and foremost take responsibility for the event and say you're sorry. Be clear and concise in your notification letter. Do provide identity theft protection like protect my ID. In fact, the Ponemon study that we recently did said that 63 percent of consumers expect an organization to provide some sort of identity theft protection.
The don'ts side: don't be caught off-guard without a pre-breach plan. Don't be anxious to jump to the details of an incident until you have a good handle on the forensics and get the facts right the first time you go public. Don't have any regrets. Put yourself in the position of that effected party and treat them like you would want to be treated by your own organization, and that's critical to that rebuilding trust with that effected party.
Common Mistakes
FIELD: What do you find as a common mistake organizations are making following a breach?
BRUEMMER: The two most common mistakes really haven't changed over the past six months. The first one is even an organization that has a plan still isn't going to the next step and practicing that plan. You can't rely on a book on the shelf, a software program, or worst case starting from scratch when you have an event. You need to build that plan and do the live fire exercise. And in fact, studies show that people that have a plan can save about 25 percent on the overall cost of the response and consumers, employees, and shareholders will all be better served. The second common mistake is not providing a comprehensive identity theft protection product. That includes credit monitoring, change of address, insurance coverage up to a million dollars, and full fraud resolution. You can't short-change people regardless of what was compromised and give them something that they can't use to protect themselves going forward.