Halloween, not at all my favorite holiday, looms. On this "hollow day" we commonly celebrate the ghastly—ghouls, ghosts, goblins and gloom—and with ever-increasing fanfare (when did lights get to be important for Halloween?). It's not clear to me what upside there is to focusing on that which encourages us to be frightened, worried, or just plain grossed out. This is especially true for those who work with or are responsible for retail payment systems. From cyberattacks and data breaches to basic fraud and theft, there is plenty to haunt and drive us to an early grave.
Today, I offer no solution to the threats; they seem to be ever with us. When bad things happen, and they almost surely will, one of our most important choices relates to reporting. To get to where I'm going I'll share a text series my son sent recently to report an incident at the house. His messages were as follows:
The trouble with security incidents is they don't come with a fat dog to vacuum up the mess. One of the trickier messes is in the reporting. What should be reported, to whom should it be reported, and when?
My first instinct is to say that when something goes awry, err to the side of reporting—early and often. I have said so in a previous post. Alas, it's not that easy; there is no fat dog to clean up the mess. Realizing that, I feel compelled to correct my earlier thinking or to at least offer a more nuanced view.
One can agree or not, like it or not, but the truth is notification obligations are not triggered by every security incident. What has to be reported and when varies by state as well as circumstance. That's grist for another blog. For this one, just note that one often has choices. What if bad consequences such as reduced sales or damaged reputations could have been avoided by not talking out of turn? It's not wrong to ponder that.
There are other arguments to be made against early reporting. For instance, early understanding may (likely will) need to be amended. The amendment could be dramatic if additional forensics make clear that initial conclusions or thoughts were incomplete or simply incorrect.
The other side is that erring in favor of the "early and often" principle or sacrificing self in the interest of others is "the right thing to do." I recently heard a person say their company chose to be public and transparent about a breach of theirs, in spite of incomplete information. The speaker said it was the right thing for them, in that instance. He also said it couldn't be a rule. His rule was that the CEO needs to be comfortable with what is decided because somebody is harmed no matter what the decision.
The resolution is an incident response plan. Be committed to developing a well-conceived one. Don't think your firm is too small for one. Knowing options like whether or not notice is required (and when) could prove priceless as could considering all the communication decisions in the absence of heat that accompanies a real incident. If incident response plans are already in place, test key decision makers with realistic exercises that include wide-ranging communication scenarios and find out what doesn't work for the company. Fix what is discovered before the storm hits.
Alternatively, I have a fat dog that doubles as a vacuum. Price is negotiable but any sale is final.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed