data breach response guide for credit unions

1-800-350-7209www.breachshield.com

Corporate Data Breach Solutions

100 Connecticut AvenueNorwalk, CT 06850-3561

www.breachshield.com

About ASCASC (Affinion Security Center) is a division of Affinion Group, aglobal leader in providing data security and protection solutionsto corporations and individuals. Backed by over 35 years ofexperience, Affinion Group has helped the world’s most valuablebrands strengthen customer relationships and enhance trustwhile driving bottom-line revenue.

Featuring a suite of leading consumer protection and data breach solutions, ASC serves local, national and multi-nationalenterprises including those in the financial, retail and travelindustries. Currently serving over seven million personal subscribers,ASC works to strengthen the commitment between organizationsand their clientele by providing quick, superior and compliantsafeguards against the misuse of compromised data.

The ASC product development team works with you to ensurethat your solution directly meets the data security needs of bothyour organization and its target clientele. But we don’t stop there.ASC provides the continuous support needed to properlyadminister and promote your solution.

By partnering with ASC, your company’s data security needs willbe managed by industry experts who specialize in the restorationand enhancement of trust. ASC works with you to quickly rectifyyou and your customers' data security concerns following a datasecurity breach.

Contact ASC today, and enjoy all the benefits that our capabilitiesand experience can offer.


© 2009, Affinion Group

BreachShieldSM

AS

CB

RE

AC

HS

HIE

LD

|D

AT

A B

RE

AC

H R

ES

PO

NS

E G

UID

E

A F F I N I O N S E C U R I T Y C E N T E R | B R E A C H S H I E L D

Data Breach Response Guide

Their information | Your reputation | Our experience.

Notice to Readers

This paper is not intended as legal advice and we encourage all companiesto seek legal counsel regarding issues discussed in this document. If you have any suggestions to help enhance this workbook, please [email protected]. We appreciate your feedback.

Please remember this book is intended to assist companies with their securitystandards. Not every solution will be a perfect fit and different circumstanceswill determine the best solution for each individual company.

Version 1.0

© 2009, Affinion Security Center

03A S C B R E A C H S H I E L D Data Breach Response Guide 1-800-350-7209 | www.breachshield.com

Introduction1

Contents

1 Introduction 04 An Explanation of Affinion’s Expertise

05 The Facts About Data Breaches What Is a Data Breach?

07 FAQ & Terminology

10 Case Study 1.1 | Insurance Services Company

2 Explanation of Laws 11 States That Require Disclosure

11 Red Flag Rules

3 Breach Preparation & Response 12 Preparation

12 Assemble Team

13 Documentation

13 Response/Protection

15 Case Study 3.1 | Large Healthcare Company

16 Case Study 3.2 | Large Grocery Chain

4 Communication17 Crisis Communication

20 Case Study 4.1 | The Largest Data Breach in History

21 Case Study 4.2 | Federal Government Agency

22 Case Study 4.3 | Financial Institution

5 Solutions23 Notification

23 Enrollment Options

23 Member Services

6 Breach Recovery Materials25 Sample Press Release

26 Sample Letter to Employees

28 Sample Letter to Customers

7 Resources29 Industry Experts, Contact Leads

04

An Explanation of Affinion’s Expertise

For over 35 years, Affinion Group has provided customer engagementsolutions for more than 5,300 clients across multiple industries. In 1991,Affinion Group launched the first identity theft protection service available,PrivacyGuard®. With its development of IdentitySecureSM, acquisition of CardCopsSM, and strong industry partnerships, Affinion has maintained itsleadership by creating and delivering the most comprehensive, proactiveand preventative solutions in the marketplace.

Leading fraud experts, including Frank Abagnale, subject of the book andmovie Catch Me if You Can, have endorsed Affinion Security Center’sprotection solutions.

As a natural extension to our world-class protection service suite, Affinionlaunched BreachShieldSM, a full service, rapid response data security breachresponse and delivery program. National and multi-national enterprises,including those in the financial, retail and travel industries, partner withAffinion Group for our BreachShield data breach solutions. Since 2007,Affinion’s BreachShield services have been provided to over five millionindividuals whose identities have been compromised by a security breach.

For more information on how to implement your breach strategy andsolution, please call a BreachShield security expert at 1-800-350-7209.

Intro

duct

ion

1



Introduction1

The Facts About Data Breaches

In the past 12 months, the number of identity fraud victims increased 22%to 9.9 million adults, for an annual incidence rate of 4.32%.1 It is now moreimportant than ever to remember your customer’s experience during abreach incident. The customers and/or employees should easily be able tounderstand the breach solution you have put in place. Poor communicationand execution could cause a significant customer service challenge andcould lead to negative PR, heightened media scrutiny, and increased cost.

The total average costs of a data breach grew to $202 per record compromised,an increase of 2.5% since 2007 ($197 per record) and 11% compared to2006 ($182 per record).2

Increasing incidents where third party is responsible; growing costs:Since 2005, the percentage of incidents where a third party such as anoutsourcer or consultant was responsible for a data breach has increased from 21% in 2005 to 29% in 2006 to 40% in 2007, to 44% in 2008. Afterexperiencing a large gap, the difference in cost for a data breach based onresponsibility has become increasingly stable. In 2005, the difference in per-record compromised costs between third-party and internal responsibility fora breach was $12. In 2007, that difference grew to $67, and in 2008 thatamount was $52. Third-party outsourcers or consultants often analyze orprocess large volumes of customer-related information.2

1 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet asProtection Increase

2 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009

06

The Facts About Data Breaches (cont.)

• As of Oct. 1, 2008, 44 states and the District of Columbia requirecompanies to notify individuals (consumers or employees) regarding a potential or actual breach

• Social Security numbers (38%) and names and addresses (43%) were the data most frequently compromised. Although 15% of victims suffered ATM or debit PIN compromise, and 13% credit PINcompromise, only 9% of victims went on to experience ATM cashwithdrawls. Both fraudulent online and in-person purchases increasedin 20081

• The total annual fraud amount in 2008 measured $48 billion, versus $45billion in 20071

• Increased availability of public information combined with easy Internetaccess has left consumers vulnerable to far more devastating types ofidentity theft

• Over 88% of all cases this year involved incidents resulting fromnegligence. Per-victim cost for data breaches involving negligence cost$199 per record versus malicious acts costing $225 per person2

• On average, consumers spent nearly $500 of their own money to clear up fraud3

• New account fraud cost the industry $18 billion and $579 per victim3

• Healthcare and financial services suffer highest customer loss:Healthcare and financial services companies have the highest averagerate of churn – 6.5% and 5.5%, respectively. High churn rates reflect thefact that these industries manage and collect consumers’ most sensitivedata. Additionally, the average cost of a healthcare breach ($282) is morethan twice that of an average retail breach ($131). Thus, another signthat consumers may have a higher expectation for the protection andprivacy of their healthcare records3

• Trust may be intangible and hard to quantify, but the result of breakingthat trust is clear, as the cost of lost business represents 69% of the totalcost of a data breach3

• The majority of breaches in 2008 occurred at merchants and businesses(37%), followed by the education sector (22%)4

1. Javelin 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet as Protections Increase

2. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 20093. Javelin Strategy & Research 2009 Identity Fraud Survey Report4. Javelin Strategy & Research 2008 Data Breaches

Intro

duct

ion

1

The three main forms of identity theftand their frequency, as determinedby the Federal Trade Commission,through a survey of actual identitytheft victims.

• New accounts and other fraud

• Misuse of existing non-credit cardaccount or account number

• Misuse of existing credit card or credit card number

Identity Theft Resource Center Report,January 8, 2008



Introduction1

FAQ & Terminology

What is a data security breach?In simple terms, a data security breach occurs any time there isunauthorized access to company data.

How do data security breaches occur?Lost laptops and system failure are the main causes of data breaches (35 and 33% respectively). Within the classification of “systems glitch,” respondents cited a number of different issues, including softwareapplications development that did not anonymize live customer data,merger/acquisition activities in which customer data was sent to anunrelated law firm by mistake, credit card processing systems infiltrated by malware, social engineering attacks and insecure wireless connectivity,among other IT-related glitches which caused a breach.1

What is the impact of a data security breach on an organization?The impact of a data security breach can be far reaching and long lasting. This includes loss of data, compliance pressures, customer loss or attrition,diminished trust, reduction in brand equity, litigation, and negative mediacoverage. Any and all of these issues have the potential to erode shareholdervalue and customer confidence. As such, the smooth execution of acomprehensive breach response is critical to managing and reinforcing thetrust of your clientele. In fact, an effective response can actually transform the negative implications of a data security breach into a valuable brand-enhancing and loyalty-building opportunity.

How should I notify the impacted population that a data security breachhas occurred?It is important to alert the impacted population in a clear, concise andtimely manner. However, merely informing your clientele of a data securitybreach could prove catastrophic. A more effective post-breach strategy is tobrief clientele on the proactive measures you are implementing to protectthem. Taking a responsive leadership role in your communication strategycan play a significant role in restoring – and even increasing – clienteleloyalty after a data security breach occurs.

1. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009

08

FAQ & Terminology (cont.)

What should I offer to the impacted population of a data security breach?What you provide to your clientele will depend on the risks ascribed to theparticular data security breach. However, general best practices include theprovision of:

• Credit reports from the three major credit reporting agencies

• Credit monitoring alerts

• Fraud alerts

• Identity theft insurance

• Identity fraud resolution services

Your ASC BreachShield consultant will be able to determine the mosteffective benefits configuration based on the unique circumstances andcharacteristics of your data security breach.

If a data security breach occurs, what am I required to do by law?Each state has differing regulations about the reporting and recompense for resolving a data security breach. In addition, if your organizationtouches clientele across state lines, you may be subject to different compliancerequirements based on the location of the affected parties. You should checkwith your legal department regarding your legal requirements.

Why should I take action beyond my legal obligations?There are many reasons to address a data security breach even if you are not required to do so by law. In a world where information can be sharedinstantaneously, you need to consider possible repercussions, should yourclientele be notified of your data security breach by another entity.Additionally, notifying and protecting the impacted population reflects theresponsibility that your organization feels toward its customers, employees,suppliers and other valued partners. Lastly, a seemingly negative event, whenhandled well, can actually be leveraged as a relationship building activity.

What are Credit Monitoring and Alerts?This service monitors changes to an individual’s credit records with one of the national credit reporting agencies (Credit Bureaus). Members will be notified of any changes to their records on file with that agency. Those changes could include events such as new accounts opened or a change in credit score.

What is Triple-Bureau Credit Report with Triple-Bureau Credit Score?This service delivers Credit Reports and Credit Scores from all three majorcredit reporting agencies. Customers also receive a comprehensive analysis,detailing which factors impact their rating.

Intro

duct

ion

1



Introduction1

FAQ & Terminology (cont.)

What is the difference between Identity Fraud Resolution and Identity Restoration?Resolution services provide consumers with the tools they need to remedy the negative impact of identity theft. Additionally, consumers are provided with a dedicated caseworker who will work with the individualthroughout the duration of his or her case until all issues are resolved.

Identity Restoration requires that an individual sign over his or her power of attorney to a third party who will then be responsible for the case.

Identity Restoration may be a source of concern to a victim because itrequires consumers to hand over power of attorney at a moment of crisis.Also, the individual’s active involvement in his or her case mitigates risk and ensures accuracy. With the help of ASC’s Identity Fraud Resolutioncaseworkers, victims of identity theft will have all the tools they need to resolve their cases.

What is a Fraud Alert?A fraud alert is something that the major credit bureaus attach to yourcredit report. When you, or someone else, try to open up a credit account by getting a new credit card, car loan, cell phone, etc., the lender shouldcontact you by phone to verify that you really want to open a new account.If you aren’t reachable by phone, the credit account should not be opened.

Do Fraud Alerts always work?Not necessarily. There are many forms of identity theft that do not passthrough the credit bureaus, thereby making a fraud alert alone insufficient.That’s why ASC recommends a comprehensive solution that addresses allthe forms of identity theft cited by the Federal Trade Commission.

10

Case

Stu

dy 1

.11

Case Study 1.1: Insurance Services Company

Background In Dec. 2007, a large provider of insurance products suffered a data breachthat impacted more than 500,000 people. The breach exposed personal andfinancial information, including names, addresses, Social Security numbers,bank account numbers, employer information, salary information, medicalinsurance information and more.

Notification The company alerted its partners, and began notifying customers in March2008. It spent more than $700,000 to mail notification letters to the affectedpopulation. However, the letters left many end-customers confused, becausethey had no direct relationship with the parent company that experiencedthe breach.

Due to budgetary constraints at the time, the breached company chose notto offer any type of credit monitoring or identity theft protection to thosecustomers who had their information compromised.

ReactionNegative media stories about the company began to circulate and, combinedwith legal pressures, caused the company to seek help from Affinion’s breachresponse team. The company was interested in a low-cost breach solution,as it only had a remaining budget of $500,000 to spend on a breach resolution.

The breach response team immediately implemented a second mailing to all customers advising them that their information had been stolen, andoffering them identity theft protection services. Significant time and moneycould have been saved had this company had a breach response plan inplace, and executed it immediately after discovering the breach.

Lessons LearnedExplain the relationship. Since the breached company in question was a B-to-B service provider to the companies that consumers dealt with, theconsumers were confused by the notification letters.

Optimize call center communication. Call center agents should expect thatcustomers will be angry and scared when they call for more information.Provide call center agents with facts, background information and remediesso they can explain what happened, and offer the callers support.

Offer the solution to all customers. Offer identity theft protection services to all of your affected or potentially affected customers. This may lessenconsumer anger, and in this case, may have made them less likely to file the class-action lawsuit.

Plan your communication. Save time, money and damage to your company’sreputation by planning your response to a data breach in advance.



Explanation of Laws

2

Explanation of Laws

As of Oct. 1st, 2008, in addition to Washington DC and Puerto Rico, thereare 44 states that have breach notification laws. The only states that did not have these laws are: Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota.

Who is requiring compliance?Federal Deposit Insurance Corporation (FDIC)Federal Reserve BoardOffice of the Comptroller of the Currency (OCC)Office of Thrift Supervision (OTS)National Credit Union Administration (NCUA)Federal Trade Commission (FTC)

Red FlagsFinal rule adopted under sections 114 and 315 of the Fair and AccurateCredit Transactions Act of 2003 (the “FACT Act”) regarding identity theftred flags for financial institutions and procedures that users of consumerreports should use in the event they receive notices from consumerreporting agencies (“CRAs”) of address discrepancies.

Section 114 of the FACT Act requires the agencies to jointly issueregulations and guidelines identifying patterns, practices and specific forms of activities that indicate the possible existence of identity theft.

Section 114 also directs the agencies to prescribe joint regulations requiringeach financial institution and creditor to establish reasonable policies andprocedures to identify possible risks to account holders or customers. The rules went into effect on Jan. 1, 2008, and compliance is required by May 1, 2009.

What is required?The new rule requires financial institutions to implement a writtenprogram designed to detect, prevent and mitigate identity theft inconnection with a covered account.

The program must be tailored to the institution’s size, complexity and the nature of its activities. The program must also contain reasonablepolicies and procedures that:

1) Identify relevant Red Flags for covered accounts and incorporate theminto the program.

2) Detect Red Flags that have been incorporated into the program.

3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

4) Ensure the program is updated periodically.

The program is to be approved by the institution’s board of directors or an appropriate board committee.

Information concerning legal aspects of security breaches mayhave changed since the publication of this booklet. Always consult your legal counsel regarding tosecurity breaches.

12

Breach Preparation & Response

It is important to prepare and plan ahead by completing a Data BreachIncidence Response Plan. Should a breach occur, you are well-positioned to move swiftly by following your completed Data Breach IncidentResponse Plan. It is important to document all ongoing events, all people involved and all discoveries into a timeline for evidentiary use.

BreachShield’s data security professionals are experts at developing effectivedata breach solutions for before, during and after a breach incident. However,advanced preparation can greatly reduce the time it takes to resolve a databreach, as well as minimize the inevitable panic and confusion that stemsfrom such a critical event. Contacting BreachShield prior to an actualbreach enables your organization to have an effective response strategyalready in place and ready to implement at a moment’s notice.

Another helpful tactic is to develop a set of breach scenarios that couldaffect your clientele, and define the tasks that need to be accomplished tohelp resolve potential issues. In addition, designating the incident responseteams and assigning specific tasks to each team member before a breach will help familiarize the responsible parties to their duties, streamliningresponse times and reducing the chance of error during an actual breach.

Incident Response Action Plan

Once confirmation is established, it is essential to execute a timely incident response plan.

Assemble your incident response teamDesignating the members of the incident response team – and providingthe necessary training – prior to the actual data breach will provide quickerrecovery and cost savings over the use of ad hoc teams. BreachShieldrecommends that your incident response team include at least one seniormember from each of the following departments:

• Executive Management

• Legal

• Customer Service

• Public Relations

• IT

• Compliance

• Risk Management

Bre

ach

Prep

arat

ion

& R

espo

nse

3



Breach Preparation

& R

esponse3

Breach Preparation & Response (cont.)

Select an incident response project leadIn our experience, the best incident response project leads demonstrate anacute understanding of the organization’s current customer relationshipsand are able to strategize effective ways to preserve brand equity.

Document all relevant informationAccurate documentation of the events leading up to, during, and after the data breach will aid in both the incident response team’sinvestigation as well as prevent future occurrences. BreachShield suggestscompiling the following information while simultaneously preserving allevidence in its original form:

• Date and time of data breach

• Method of data breach

• Extent of data breach

• Quantity and identifying factors of the impacted population

Your BreachShield consultant will be able to determine the most effective benefits configuration based on the unique circumstances and characteristics of your security breach.

Restore and reinforce the breached dataThe measures taken by the incident response team are dependent on the type and scope of the specific data breach incident. Some standardprotocols include determining the point of compromise and securing it,managing the affected systems and enacting preventative measures.

Protect the affected populationBreachShield recommends taking a proactive and thorough approachtoward protecting the affected population. This can help the impactedorganization meet compliance standards, reduce potential liabilities andposition itself as a responsible leader. It also helps preserve brand equity by maintaining control of the notification process as opposed to riskingawareness through other sources.

14

Breach Preparation & Response

Please remember that every situation is different and some situations maynot require you to notify your customers. Depending on the type of datathat was breached, a letter may or may not be required. Always consult yourlegal counsel. If your counsel deems it necessary to contact your customers and/or employees please consider the following:

The sooner you notify anyone involved the sooner they can take action to protect themselves.

It is crucial that all notification be clear and concise. Customers shouldunderstand the company is aware of the problem and that it is taking steps to help with a resolution.

Communication of this sort requires great care, as improper notificationcould actually lead to more financial loss. BreachShield helps organizationsof all sizes carefully tailor their incident response notification strategy tominimize potential disruptions while simultaneously placing the affectedpopulation at ease.

BreachShield’s security experts are available 24/7 to develop timely, effective data breach solutions that address the needs of your specificincident and organization. We can help with: list management services,notification letter development, printing and mailing services and callcenter support (pre- and post-enrollment).

Bre

ach

Prep

arat

ion

& R

espo

nse

3



Case Study 3.13

Case Study 3.1: Large Healthcare Company

Background On Mar. 26, 2007, the names and Social Security numbers of 17,000 currentand former employees of a major healthcare corporation were compromisedwhen the spouse of an employee downloaded peer-to-peer file sharingsoftware onto a company-issued laptop.

Notification Nine weeks after the company confirmed the exposure, it notified theaffected employees in a well-written letter, outlining how the data wasexposed and what steps the company was taking to help protect thoseaffected. In addition, the company issued one year of free credit monitoringservices and a $25,000 insurance policy to each individual affected. Thecompany’s notification letter also provided information and resources forthose affected, including a phone number people could call for furtherinformation about the breach and instructions for how to sign up for thefree identity theft protection services being offered.

The company reinforced its response by dedicating a portion of its website tothe breach, providing information and an extensive Q&A section to helpvictims understand what happened and how they could get help.

Reaction This company was highly scrutinized by the media as a result of the breach,especially because it took nine weeks to alert the employees affected. Afterthe breach, data security experts questioned whether the company hadtaken adequate precautions to prevent breaches related to the use of laptops,saying that encryption devices and other security measures could haveprevented the loss of data. The breach spurred an investigation, and asubsequent civil lawsuit by the Connecticut Attorney General, where at least 300 victims of the breach resided.

Lessons LearnedState laws can complicate the response. Creating a response that iscompliant with the laws of each state where the victims live can be a big challenge.

Offer help in the notification letter. Relevant phone numbers, websites andinformation on the remedies offered and precautions to take are valuableand reassuring to those individuals affected.

Post information on website. Consumers, employees, investors and themedia look to the Internet for information, so it is important for allpertinent information to be available on the company website.

16

Case Study 3.2: Large Grocery Chain

Background On Feb. 27, 2008, a large grocery store chain became aware that it had been exposing customer data for several months, via malwareinstalled on 300 of its computers. It was determined that 4.2 million uniquecredit and debit card numbers with expiration dates were compromisedduring the store’s authorization process. The breach occurred despite thefact that the grocery store received PCI certification in 2007, underwentperiodic vulnerability scans, and was re-certified in 2008.

There were approximately 1,800 cases of reported credit and debit cardfraud stemming from the breach in the months that followed.

Notification On March 17, 2008, the company notified customers of the breach via a letter on its website from the CEO, who stated: “No personalinformation, such as names or addresses, was accessed.”

The media speculated that the company was lying about how muchinformation was exposed, deducing that of the 1,800 victims who reportedfraud stemming from this breach, those must have been names associatedwith the stolen credit card numbers and expiration dates.

Reaction Days after the CEO’s note was posted, the company found itself defending a class-action lawsuit, filed on behalf of customers whose credit or data was stolen.

The suit maintained that because of the company’s inadequate data security,its customers had their personal financial information compromised, wereexposed to the risk of fraud, have incurred and will continue to incur timeto monitor their accounts and dispute fraudulent charges, and haveotherwise suffered damages.

Lessons Learned“Compliance” does not mean “security.” Prepare for the worst. AlthoughPCI compliance is considered extremely safe, it is not a shield against databreach. Even when technical standards are met, it is important for everycompany to prepare for a potential breach.

Use a multichannel approach to reach affected parties. When responding to a breach, it is important to contact as many affected customers as possible.This company did not send notification letters via mail, and opted insteadto post a statement to its website. Only customers who visited the site werenotified directly of the breach.

State the facts. The CEO’s statements were called into question by the media and the public as 1,800 cases of identity theft were reportedlylinked to the data exposure.

Case

Stu

dy 3

.23



Comm

unication4

Communication

The nature of crisis communicationData breaches, because they pose a significant threat to the business,financial, operational and “reputational” health of a company, areconsidered crisis events.

Crisis events occur within all organizations and, depending on how they arehandled, can either reinforce a positive reputation or irreparably damage abrand. That is because a crisis focuses the attention of customers, partners,employees, investors and the general public on an organization, and causeevery action to be closely observed, with each action taking on far greatersignificance. In other words, the stakes are high, and the world is watching.Beyond any legal concerns that the company must consider in the event of abreach, the purpose of communication is to protect the brand and reinforcecustomer relationships.

Clear, controlled communication of what happened, when it occurred, who was affected and what is being done to rectify the situation is important fornavigating a breach crisis and minimizing brand damage.

Time is of the essenceThe most valuable commodity in a crisis situation is time. As soon as thebreach is discovered, it is important to gather information and quicklydetermine the appropriate action steps. Although there is some danger inoverreacting to a given situation or prematurely sounding an alarm, the vastmajority of mistakes are made in assuming something is not a problem orthat it will just “go away.” A data breach will not go away if it is ignored, and the outcomes always get worse over time.

Breach communication principles In response to a breach, it is important to incorporate the following coreprinciples in all internal and external communication:

1) Honesty – Always the best policy, and never more important than in adata breach situation where trust and corporate credibility may already bestrained. Being forthright and open with information will win points andactually give management more room to operate.

2) Speed – Success or failure in handling a breach is often a function oftime. It is critical to move quickly and make the best decisions possible.Having a breach plan in place greatly facilitates quick decision making.

3) Control – Update stakeholders with the latest information, as you get it.Anticipate questions and be there first with information and answers.

4) Facts – Nothing is more important than ensuring the most accurateportrayal of events possible. In all cases, correct the record where necessaryand do not allow unsubstantiated or erroneous information to gounchallenged. Do not speculate, always deal with the facts and never guess.

ICR is a strategic communicationsand investor relations firm with acrisis communications practicedevoted to helping companiesminimize reputational damage fromcrisis situations. The firm has guidedseveral large institutions throughdata breach crises by helping themto define, develop and deliver thecommunications that meet theneeds of clients, partners, investors and the media.

The guidelines and case studieshere provide some information onhow to react in the event of a databreach. If your company needsadditional crisis communicationsupport, please visit www.icrinc.comor call (203) 682-8218.

18

Communication (cont.)

Breach communication goals The goal in responding to a data breach is to act and behave at every pointduring the process in a way that is consistent with the company’s values and culture, and at all times place the highest priority on the safety andsatisfaction of customers, employees, partners and other stakeholders. All communications should be designed to best achieve the following:

Internal Communication:

• To ensure accurate, consistent and timely communication

• To eliminate or minimize confusion and rumors

• To provide guidance and channels for sound internal decision making

External Communication:• To maintain the trust, confidence and respect of customers,

employees, shareholders, analysts, business partners, public officials and the community

• To maintain credible and productive relations with the media

• To minimize the impact on the company’s brand equity, operations and sales

Media communicationsDuring the course of the breach, and its disclosure, the company may getrequests from the media for interviews. It is absolutely essential thatcommunication with the media be highly measured and controlled.Discussion should focus on the facts of the breach, and what is being done proactively by the company to control the situation and protect thoseaffected. If possible the company should always offer a comment, even if itis limited in substance or information. “No comment” should be avoidedand every effort should be made to avoid “the company was unavailable for comment.”

Communication should also be tightly controlled. Only an authorizedspokesperson should respond to media requests and the number of executivesallowed to comment to the media should be limited. In order to underscorehow serious the company considers the breach, it is best if a senior executiveis designated as the spokesperson.

Com

mun

icat

ion

4



Comm

unication4

Communication (cont.)

General media communication guidelinesThe following five steps provide a helpful framework for response to the media. Every communication should seek to include these elements.

Five steps to prevent F.E.A.A.R

1) Facts – Communicate what you know and don’t know. Correct inaccuracies. Never speculate.

2) Empathy – Always express concern for affected parties. Be human.

3) Accountability – Demonstrate that you will do everything to assist (even if it’s not your fault!).

4) Action – Be explicit about what you are doing.

5) Remediation – Apologize. Fix what is broken and ensure it won’t happen again. Discuss plans to prevent similar incidents from occurring in the future.

Answers may not be available for all questions pertaining to the breach. When information is unavailable or inappropriate for publicdissemination, the company should state that it is working to gatherrelevant information and will make it available as soon as possible.

Case StudiesOver the past few years, data breach incidents have greatly increased. And because the number of identity theft victims has also increased, databreaches continue to capture more attention from the mainstream mediaand the public at large.

In creating a Data Breach Response Plan, it is important to look at howother companies have responded, and what outcomes resulted from theiractions. There are unique lessons that can be learned from each response.The case studies in this book provide an overview of different types ofcompanies and how they responded to different types of breaches. While the specific actions each company took were different, there are two lessons that applied in every situation:

• Timing is Critical: In almost all of the cases below, the companies involvedwere slow to alert customers to the breach, which led to panic amongcustomers and negative perceptions from the media and the public. Keepin mind that promptly alerting customers and the media demonstrates aproactive interest in keeping customers safe and in finding a solution tothe situation.

• Develop a Plan in Advance: No matter what unique circumstances a breachpresents, companies with a Data Breach Response Plan in place are able toreact more quickly and professionally. Being prepared is the key to asuccessful response.

Background This data hack went undetected for five years, involved several nationalretailers, and exposed the credit card data of 41 million people. The methodused to access the data was not particularly sophisticated. The thieves were“wardriving” or driving around in a car testing Wireless local area networks(WLANs) and exploiting security holes to gain access to customer data,including credit card numbers, expiration dates and security codes.

NotificationWithout the proper tracking systems in place, it was exceedingly difficult toestablish how long the fraud had been occurring or how many customerswere affected. The retailer then came under heavy criticism for what manyconsidered a slow and sloppy response. The company was also criticized fornot disclosing the breach until a month after it was first discovered.

The company was eventually forced to offer credit monitoring to a smallsubset of affected customers, as a result of a lawsuit settlement. It also held a special sale for its victimized customers and gave them a $30 voucher to beused in its retail locations, provided that the customers provided writtendocumentation of the time or money lost as result of the incident.

ReactionA few months following the disclosure, the company received 11 subpoenasfrom different state attorneys general. There were many lawsuits filedagainst the company in federal and state courts, brought forth from banks,credit card issuers, state government officials and groups of affected NorthAmerican customers. The company suffered more than $200 million inlosses related to the theft. The negative publicity surrounding this incidentcontinues, years after the breach was discovered, and almost nine years afterthe breach first began.

Lessons LearnedInvestigate the breach. The company’s lack of an appropriate data trackingsystem led to consumer confusion and speculation, which resulted in fear.

Offer the solution to all customers. The company was criticized for offeringcredit monitoring to only a small subset of affected customers, and for thefact that the monitoring was only offered as a result of a lawsuit settlement.

The remedy should fit the offense. Consider that victims who spent time andmoney trying to reclaim their stolen identities and recoup their losses maysee a token (such as a $30 coupon) as an insult.

Provide updates. Demonstrate a concern for customers and a concern aboutthe outcome of the case by providing customers and media with neededperiodic updates of new findings and case status.

Case Study 4.1: The Largest Data Breach in History

20

Case

Stu

dy 4

.14


Case Study 4.2: Federal Government Agency

BackgroundOn May 22, 2006, a large federal government agency announced that 26.5 million Social Security numbers were compromised as the result of a stolen laptop that contained unencrypted personally identifiableinformation. It was later revealed that the incident had actually occurred onMay 3, 2006, but that the agency’s top official was not notified until May 16,2006. This delayed notification of the FBI until two weeks after the burglary.Less than a month later, the agency warned that an additional 2.2 millioncitizens also had their data compromised, for a total of 28.7 millionbreached records.

NotificationOn Aug. 10, 2006, the agency mailed notification letters to the individualswhose information was found on the missing computer, which wasrecovered by the FBI.

The House Government Reform Committee also held a hearing to discussthe incident and the Government Accountability Office (GAO) issued areport the following year.

To support the potential victims, the agency devoted the home page of its website to notifying affected citizens. It posted an extensive Q&Asection on the site which provided information about how the breachoccurred, what steps people could take to monitor their personalinformation and who to contact if they suspected fraud. The agency alsocreated a hotline staffed by call center employees to answer questions.

Reaction There was a significant amount of media coverage when the incident wasannounced. The media stories emphasized that the agency had waited twoweeks to disclose the incident, putting the citizens whose data had beenexposed at risk and denying them the opportunity to protect themselves. As a result of the incident, at least three class-action lawsuits have been filedagainst the agency and its secretary.

Lessons Learned It can happen to you. Each year data breaches become more common.

Be prepared, and have contracts in place. It is important to develop a breachresponse plan, and an internal process for rapid response. This can helpcompanies react to a breach more quickly.

Promote a culture of awareness and reporting. In order for companies todetect and react to a breach, each person in the organization must know whatto look for and who to tell, so top executives can then put a plan in place.

Educate all staff. It is important to circulate information on data breachesto employees, and make sure everyone knows what to look for, and howthey should react to a potential breach.


Case Study 4.24

22

Case Study 4.3: Financial Institution

BackgroundIn 2008, a major financial institution’s backup data storage tapes(containing customer data that included Social Security numbers and bank account information) went missing – twice. During the firstincident, the unencrypted tapes were lost while in transit to a storagefacility by the company’s courier. The second incident occurred again whileunencrypted data storage tapes were being moved by a commercial carrier.

NotificationThe company was criticized for not disclosing the loss of customer data in atimely manner. While the first incident occurred on Feb. 27, 2008, it appearsthat the financial institution did not notify its affected partner institutionthat it had lost the data until May 2008. The partner financial institutionthen informed the Connecticut attorney general, who made a publicannouncement about the incident and called for an investigation. Theattorney general and the media were highly critical of the financialinstitution and questioned the long delay in notification. The financialinstitution sent letters to all of the affected customers, an ongoing processthat took several months, as the institution uncovered an additional fourmillion affected customers.

ReactionBecause of the delay in notification and because the company did notactually announce the loss of customer data, the media and public reactionwas highly negative. The company’s initial response to the incident was anoffer for one year of credit monitoring for the affected customers. However,as a result of the attorney general’s investigation, it later extended that offerto include two years of monitoring, increased the amount of identity theftinsurance coverage from $10,000 to $25,000 and said that it wouldreimburse for the cost for placing a security freeze on a credit file.

Lessons LearnedTake control of the disclosure. Allowing an outside entity to announce a breach – in this case, the Connecticut Attorney General – puts yourcompany on the defensive, battling legal forces and negative publicperception. Disclosing as soon as possible helps mitigate the inevitablynegative reaction.

Indicate empathy for those affected. Customers see the bank as atrustworthy entity – and after a breach, they may feel a tremendous lack of that trust and confidence. Ensuring that customer-centric messaging isincluded in the disclosure of a breach helps shape a perception amongcustomers that the company has their best interest in mind.

Post the customer letter on your website. However, even though the numberof affected customers may number in the millions, timely notification ofcustomers through a mailing is still important.

Case

Stu

dy 4

.34



Solutions5

Solutions

NotificationAffinion Group recommends using Affinion Security Center to handle allaspects of notification to the impacted population. At a very cost-effectiverate, given our unique experience and scale, not only can we draft thenotification letter, we will consult on PR strategy and ensure that theimpacted population is contacted quickly and efficiently.

EnrollmentWe provide the greatest number of options available in the industry toensure that your customers can enroll quickly, easily and via the meansmost convenient. We offer the following enrollment options:

Full File Enrollment allows your company to quickly protect all impactedmembers. The partner will supply a full file of names via a secure method to Affinion for enrollment.

Voice Response Unit (VRU) allows customers to enroll via telephone by simply entering the unique encrypted activation code provided in thenotification letter.

Online allows customers to enroll via a dedicated URL by simply enteringthe unique encrypted activation code provided in the notification letter.

USPS enrollment allows customers to enroll by filling out an enrollmentform and returning it via USPS.

Protection Benefits To help keep the customer’s identity safe, Affinion’s data breach productsoffer comprehensive identity theft protection including: credit monitoring,the credit information hotline, credit reports and the credit card registryservice, ID theft insurance, dedicated fraud resolution specialists, automatedfraud alerts, and Internet monitoring. Affinion’s specialists will help yourcompany choose the best options based on the severity of the breach and the type of data lost.

ResolutionAs part of your company’s BreachShield solution, all customers enrolled in credit monitoring will have access to Affinion’s Identity Fraud SupportServices (IFSS). Our Identity Fraud Support includes all aspects of helpingour members resolve identity fraud or theft. Members will receive the following:

• A dedicated FCRA-certified caseworker who will provide direct contactinformation to the member and follow the case through to resolution

• Victims of identity fraud will receive a six-month complimentary term extension of the PrivacyGuard credit monitoring service ensuringcontinued protection during resolution

• Advice on placing fraud alerts at each of the three major credit bureaus

• Assistance requesting a current credit report from the three credit bureaus

• Analysis of areas that could be impacted by the fraud

• In certain instances, the resolution specialist will assist members by attending conference calls and drafting letters and forms

24

Solutions (cont.)

• Information on contacting law enforcement officials and the FBI

• Assistance with any travel arrangements necessary for fraud resolution

• Victims receive a personalized Fraud Resolution Kit via overnight mailwhich includes:

– Educational information and resource contact information for relevantgovernment agencies and financial institutions

– Personalized dispute letters to send to credit bureaus and financialinstitutions as well as extra copies for reference

– Instructions on how to file a police report, request a personal SocialSecurity statement, and a worksheet for victims to track activities andtime spent resolving identity fraud issues

Credit Monitoring and AlertsThis service monitors changes to an individual’s credit records with one of the national credit reporting agencies (credit bureaus). Members will be notified of any changes to their records, including any new accountsopened or a change in credit score.

Internet Fraud MonitoringA sophisticated, real-time, early warning technology monitors variousunderground chat rooms where thieves sell and trade stolen information.Members are notified via e-mail if their personal information is discoveredas compromised – often before the financial institution is notified.

Automated Fraud AlertsWhen an application for credit is made in the member’s name, either by themember or somone else, the member receives a confirmation phone callallowing them to approve or deny the new credit request.

Triple-Bureau Credit Reports & ScoresMembers receive current credit reports and credit scores from all threemajor credit reporting agencies, including a comprehensive credit analysis.

Identity Theft InsuranceID Theft coverage is available at various levels.

Credit Information HotlineMembers can call the Credit Information Hotline toll free to speak to an FCRA-trained representative. These highly trained representatives walkmembers through their credit reports and answer questions about creditrecords or alerts received.

Credit Card Registry Service (Lost/Stolen Service)This service gives members the chance to centralize and store informationfrom credit, bank, department store and oil company cards in a single, securelocation. Should these items ever get lost or be stolen, members can cancelthese cards and request replacements – all with one toll-free phone call.

Solu

tions

5



Breach R

ecovery:R

eference Materials

6

Breach Recovery: Sample Press Release

[Company Name] Victimized by [Data Breach/Computer Intrusion]Provides Helpful Information to Protect Customers

City, State– [Company Name] announced today that it suffered [DescribeBreach Incident: an unauthorized intrusion into its computer systems; loss ofdata from a stolen computer] which contained information related to customertransactions. [Describe the number of customers affected: Company islaunching a full investigation to determine the full extent of the theft andnumber of affected customers; Company believes that XX customers may havehad their personal information compromised]. [Give more details on whichsystems, brands and locations were affected] The data breach involved[Company’s] payment processing system that handles credit card, debit cardand check transactions for its [stores/customers] throughout [the United States,Europe, Texas]. Company immediately alerted law enforcement authorities ofthe crime and is working closely with them to help identify those responsible.Company is also cooperating with credit and debit card issuers and providingthem with information about the incident.

Company [is launching/has launched] a full investigation of the breach with theassistance of leading computer security and data analysis firms to determinewhat customer information may have been compromised. [Company] expectsto provide its customers with more information as it becomes available. Sincethe intrusion, [Company] has taken steps to secure its computer network andsystems to prevent this type of incident from occurring in the future.

“We are extremely concerned about this event and the difficulties it may causeour customers. Since discovering this crime, we have implemented the highestsecurity measures to ensure the safety of our customers, and will work withthem to help restore any compromised information. Our customers remain thefirst priority for [Company], and we will continue to inform them as weuncover additional details about the incident,” says [Name, CEO of Company]

Information For Customers [Outline actions customers can take and resources available]

To help protect its customers, [Company] has notified the three major creditbureaus in the U.S. of this incident, as well as the attorneys general in theaffected states. [Company] has also retained [Identity Theft ProtectionCompany], a specialist in identity theft protection, to provide customers with[X] years of identity theft protection and restoration services, free of charge.

Customers who have questions about the incident or who wish to enroll in theidentity theft protection program can do so by calling [Company’s] dedicatedhelpline toll free at: XXX-XXXX in the United States and (XXX) XXX-XXXX in Canada or by visiting [Company’s website address].

26

Breach Recovery: Sample Letter to Employees

[Date]

Dear Customer/Employee:

We are writing to let you know that we have become aware of a data privacybreach affecting an estimated XX [customers, colleagues, individuals]. It appearsthat the breach developed when [briefly state how the beach occurred].

[Company] has been working with outside consultants to review the exposeddata quickly and thoroughly. At this point our review is not complete, but webelieve that some of the following information may have been exposed: yourname; Social Security number and/or Taxpayer Identification number; homeaddress; home and/or cellular phone number(s); fax number; e-mail address;credit card number; bank account number; passport number; driver’s licensenumber; military identification number; birth date and signature.

So far there is no indication that any unauthorized person has used or ismisusing the information that was [stolen, accessed, compromised].Nonetheless, we want you to know now, and to have tools and information tohelp you prevent and detect any misuse. [Company] has notified lawenforcement and, to help protect you, has retained [Identity Theft ProtectionCompany], a specialist in identity theft protection, to provide you with [X]years of protection and restoration services, free of charge.

You can enroll in the program by following the directions below. Please keepthis letter; you will need the personal access code it contains in order to registerfor services.

The [Identity Theft Protection service] package that [Company] has arrangedprovides these protections for you:

• Credit Monitoring: unlimited access to your credit report and score and willnotify you via email of key changes in your credit report that may indicatefraudulent activity.

• Fraud Resolution Representatives: Expert guidance if you suspect that yourpersonal information is being misused.

• Insurance Reimbursement: [$XX] of Identity Theft insurance [describe details]

[Company] has advised the three major U.S. credit bureaus about this incident.We gave a general report, alerting them to the fact that the incident occurred;[Company] has not notified them about the presence of your specific informationin the removed data. [Company] has also notified the attorney general’s office inyour state of residence about this incident, as well as other officials whererequired by law.

Bre

ach

Rec

over

y:R

efer

ence

Mat

eria

ls6



Breach R

ecovery:R

eference Materials

6

Breach Recovery: Sample Letter to Employees (cont.)

Additional Ways to Help Protect Yourself

Besides registering for the free protection services that [Company] has arranged,there are other things that you can do to help protect yourself from fraud oridentity theft.

We advise you to remain vigilant against the possibility of fraud and/or identity theft by monitoring your account statements and credit reports forunusual activity.

When you receive your credit reports, review them carefully. If you see anythingyou do not understand, call the credit reporting agency. If you do find suspiciousactivity on your credit reports, call your local police or sheriff ’s office and file apolice report of identity theft. Make sure to obtain a copy of the police reportbecause you may need to provide the report to creditors to clear your record.You also should file a complaint with the Federal Trade Commission (FTC) atwww.ftc.gov/idtheft or at 1-877-ID-THEFT (1-877-438-4338). Your complaintwill be added to the FTC’s Identity Theft Data Clearinghouse, where it will beaccessible to law enforcers for their investigations.

Even if you do not find suspicious activity on your initial credit reports, the FTCsuggests that you keep checking your credit reports periodically. Identity thievessometimes hold on to personal information for a period of time before using it.Checking your credit reports periodically can help you spot potential problemsand address them quickly.

We encourage you to consider all options to help protect your privacy andsecurity, and in particular, we encourage you to take advantage of the creditprotection services we have arranged for you with [Identity Theft ProtectionCompany], at no charge to you.

How to Sign Up for the Identity Theft Protection Services

You may sign up for the protection services free of charge, either by calling a special toll free number [1-800-XXX-XXXX].

You may also enroll online by visiting [website]. To sign up, just enter the access code provided below and disregard any pricing information.

Your Access Code: [insert access code]

We encourage you to enroll and activate your credit monitoring quickly.

Please note that the deadline for enrolling in this service is XXX.

[Company] takes your privacy very seriously and will continue to monitor thissituation. We have modified the computer system where this information wasstored and enhanced security for other computer systems as well. Should therebe any significant developments, we will notify you.

If you have questions or wish to request more information from [Company],please send us an email at [email address] or call us at [phone number].

[Company] understands how important it is to maintain the security andconfidentiality of personal information. Again, we regret any inconvenience that may result from this incident and encourage you to take full advantage of all resources to help protect your personal information.

Sincerely,

[CEO or Privacy Officer]

28

Bre

ach

Rec

over

y:R

efer

ence

Mat

eria

ls6

Breach Recovery: Sample Letter to Customers

Dear [Name]:We are writing to inform you about possible fraudulent activity involving yourpersonal information. We take these matters very seriously and this incident isbeing investigated. As a result of unauthorized access to our computer system,information such as your name, address, telephone number, Social Securitynumber, card account number, and PIN may have been accessed byunauthorized parties. You will not be responsible for unauthorized fraudulentactivity resulting from this situation.

We are working with law enforcement authorities to investigate the situation,and to ensure that this does not happen again. At this point, our investigation isstill ongoing, however we would like to make sure that your personalinformation is protected.

What we are doing to protect your personal information: We are offering you a complimentary one-year membership in PrivacyGuard®.PrivacyGuard is a national subscription credit monitoring service that providesyou with access to your credit reports and daily monitoring of your credit filesfrom all three national consumer reporting agencies. To take advantage of thisservice, you must sign up by [date].

You may enroll for your free one-year membership in PrivacyGuard® in one ofthree ways: 1) Sign up online at [Insert URL] and enter the requested information.2) Sign up by telephone using the automated system by dialing

1-800-XXX-XXXX. 3) To sign up via postal mail, please complete, sign and mail the enclosed

enrollment form.

What you can do to protect your information: Attached to this letter is a list of steps you can take to help prevent identity theft.If we can assist you further, please call our toll-free number at 1-800-XXX-XXXXfrom 8 a.m. EST to 8 p.m. EST, Monday through Saturday. You may also visit[company website] for more information.

Sincerely,

[Name]Chief Operating Officer



Resources

7

Breach Recovery: Resources

Security Industry ExpertsAffinion Security Center | BreachShield www.affinionsecuritycenter.comwww.breachshield.com

Public Relations, Investor Relations & Crisis CommunicationsICR, Inc.www.icrinc.com

Federal Trade Commission www.ftc.gov/bcp/edu/microsites/idtheft

Consumer Protection GroupsIdentity Theft Resource Center www.idtheftcenter.org


Corporate Data Breach Solutions

100 Connecticut AvenueNorwalk, CT 06850-3561

www.breachshield.com

About ASCASC (Affinion Security Center) is a division of Affinion Group, aglobal leader in providing data security and protection solutionsto corporations and individuals. Backed by over 35 years ofexperience, Affinion Group has helped the world’s most valuablebrands strengthen customer relationships and enhance trustwhile driving bottom-line revenue.

Featuring a suite of leading consumer protection and data breach solutions, ASC serves local, national and multi-nationalenterprises including those in the financial, retail and travelindustries. Currently serving over seven million personal subscribers,ASC works to strengthen the commitment between organizationsand their clientele by providing quick, superior and compliantsafeguards against the misuse of compromised data.

The ASC product development team works with you to ensurethat your solution directly meets the data security needs of bothyour organization and its target clientele. But we don’t stop there.ASC provides the continuous support needed to properlyadminister and promote your solution.

By partnering with ASC, your company’s data security needs willbe managed by industry experts who specialize in the restorationand enhancement of trust. ASC works with you to quickly rectifyyou and your customers' data security concerns following a datasecurity breach.

Contact ASC today, and enjoy all the benefits that our capabilitiesand experience can offer.


© 2009, Affinion Group

BreachShieldSM

AS

CB

RE

AC

HS

HIE

LD

|D

AT

A B

RE

AC

H R

ES

PO

NS

E G

UID

E

A F F I N I O N S E C U R I T Y C E N T E R | B R E A C H S H I E L D

Data Breach Response Guide


data breach response guide for credit unions

Technology

case study

largest data breach

breach preparation response

breach strategy

data breacheswhat

breach recovery materials

breachshield security

s c b r e