Building off part one of our conversation, where we discussed the evolving board landscape as well as the associated top security concerns, this second part dives into breach response and how to prepare against them.
Brian Stafford, board expert and CEO of Diligent, a provider of secure online collaboration for boards, and Sandra Fathi, president and founder of Affect, a public relations and communications firm based in Manhattan, continue to give their perspectives from an internal and external point of view.
Q5: What are the biggest implications of a data breach?
Brian: Hackers may be out to profit from the information, shame or embarrass those involved or create business disruption. Depending on the hacker's goals, the information they are after can vary as well – some examples include company secrets, strategies against competitors, evidence of impropriety, dismantling partnerships, troubled M&As etc. In any event, it's good to be prepared and have a set of internal and external messages ready to be adapted for the specifics of any situation.
Sandra: A data breach can lead to a wide variety of negative consequences from the public’s standpoint. It can be as straight forward as having a negative impact on a company’s reputation (Target breach) to complete loss of confidence in the business. It can also lead to civil lawsuits (Ashley Madison breach), criminal charges, fines and sanctions by governmental bodies or third parties. Often, senior executives are held accountable and the C-suite could definitely be in jeopardy. Making reparations to customers can also be a costly endeavor as the average cost of a data breach has increased 23% to $3.8 million.
Q6. What are best practices for responding to a data breach that originated at the board level?
Brian: With cyber-attacks being a “when not if” problem, board members must evaluate and get in front of the situation, inform the affected individuals if necessary and prepare a statement for when the details are made public. Depending on the attacker's motivation (financial gain, embarrassment, business disruption, etc.) they may take different actions with such information. At this point, it’s important to know ahead of time who will be in charge, what level of public disclosure the company should give and when it will be announced.
A key best practice is to appoint a media spokesperson and instruct the rest of the organization to funnel all requests to that person. He or she will also head public disclosures before it gets to the press so the message can be controlled. Likewise, it’s important to inform any partners or clients who are involved so that a united mitigation plan can be put into place.
Another best practice is to ask for second opinions if needed. If you think there was any wrongdoing within the executive team or the board, make sure to bring in external council to evoke client-attorney privilege. This will help guard the rest of the company in case the risk is internal.
Sandra: We always recommend having a crisis plan at the ready using the “4 Rs” framework: Readiness, Response, Reassurance and Recovery. This framework provides a path of action and accountability regardless of the type of crisis or people involved. Essentially, a good crisis plan includes a decision flow-chart structure – if this, then that type scenarios. These are pre-approved and pre-packaged whenever possible to make decisions easier in a time of stress and uncertainty as well as provide clear direction and approved protocols to respond to the public or other stakeholders.
In terms of specific examples, if management details or staff changes are leaked, the issue is typically about stakeholder confidence and it is important to respond quickly to reassure internal and external audiences that the situation is under control - essentially, that this key executive leaving or departure of certain staff is not going to interrupt business as usual. Therefore, having an immediate statement, naming an interim executive, and outlining the company's plan of action are key.
When it comes to M&A deals, there could be a lot more involved in particular if either entity is public. This may require disclosure and have far-reaching financial implications on the stock of either company and now it may start drawing attention of the SEC or other authorities. Following the letter of the law, and providing accurate and immediate compliance with disclosure rules are key. In many situations, the entire deal could be derailed due to a leak.
Q7: What can companies do to protect their boards and sensitive materials from a breach or leak? How should they prepare?
Brian: From a people perspective, maintain strong passwords and educate the board on password and device protection. As for the data, make sure it is encrypted and accessed on authorized devices only. Remember that even if a document is securely sent as a PDF, it is only as secure as the device if it is downloaded onto a personal laptop or iPad. In fact, it is a best practice that all board communications and messaging should be encrypted.
If you are working with a digital tool or service organization, they can lock the file away and keep it encrypted so that it can only be accessed on that particular protected platform. Make sure that their services allow for quick and personal problem resolution so that board members don't need to find "work-arounds" if something goes wrong.
Sandra: If you are using a digital board tool to communicate with the Board of Directors, it should have all of the security protections built-in like encryption, password protections and device security management. However, you also need to be concerned about how you are sharing information with other parties including lawyers, accountants, public relations firms and even within the organization. It could be anyone from a cleaning person to a trusted advisor that has access to unsecured information.
Board materials are among the most sensitive pieces of information in a business. It’s incumbent upon the board today to ensure that their companies have the proper safety protocols, technology solutions and protections in place to prevent a security breach. These and a proper crisis plan to act upon should a breach occur will add peace of mind as companies operate in an increasingly digital age.