Data Breach Summary
After Bits and Bytes CEO, Alice Cartwell, gave an introduction for the seminar, Dr. Rebecca Horton, our CIO of Bits and Bytes, took the stage. Dr. Horton gave a sobering recount of the events that transpired during our recent data breach. An unknown hacker group hacked into customer personal identifiable information (PII) records that were housed on one of our back-up servers, and data was captured. Customer information that was exposed included: phone numbers, addresses, user names, and last 4 digits of credit cards. Fortunately, the breach was caught in time to prevent additional information from being exposed.
Follow-up actions that have taken place after the breach:
After Bits and Bytes CEO, Alice Cartwell, gave an introduction for the seminar, Dr. Rebecca Horton, our CIO of Bits and Bytes, took the stage. Dr. Horton gave a sobering recount of the events that transpired during our recent data breach. An unknown hacker group hacked into customer personal identifiable information (PII) records that were housed on one of our back-up servers, and data was captured. Customer information that was exposed included: phone numbers, addresses, user names, and last 4 digits of credit cards. Fortunately, the breach was caught in time to prevent additional information from being exposed.
Follow-up actions that have taken place after the breach:
- Took inventory of all the data that was exposed during the breach
- Reset all confidential codes and credentials to our access servers
- Isolated and took the exposed servers offline
- Worked with one of our security consulting groups to better encrypt our servers and bring them back online
- Provided training to employees about protecting information and learning how to recognize security threats
- Engaged law enforcement agencies to help investigate the attack
- Compare log files to back up files to ensure none of the data went missing
"Everyone has a role to play in information security and keeping this company safe." - Rebecca Horton, CIO
What are the Current Laws?
Horton outlined what some of the current laws surrounding security breach notifications. Our company is required by law to notify our customers who were impacted by the data breach because it involved access to PII by unauthorized individuals.
By Michigan law, we were allowed to delay communicating the breach to customers until we understood the entire scope of the breach and restore the databases and servers affected. After that has been completed, we are required to provide notice to our customers without any unreasonable delays.
How we are required to communicate the notice to customers can vary. We could either provide a written notice sent to their address, an electronic notice (if the customer consented to receive electronic notices), or a phone call.
The notice is required to:
How to Handle Customer Questions
When interacting with customers, it is important to remain positive, empathetic and professional. Horton explained that customers would be anxious, concerned and furious. They will have many questions and will want assurance that their data is safe. Horton shared, "First and foremost, they [customers] want to be heard. Listen to everything they have to say and let them know you understand their frustrations and concerns." It is also important not to get impatient with customers, as some will have a lengthy list of questions.
If a customer becomes verbally hostile or throws a tantrum, route them to our HR hotline 555-555-1010.
Helpful phrases to use with customers are:
If a customer wants information about the specifics of the data breach, only share what was communicated in the company public statement. Do not share additional information, as this would be a breach in confidentiality.
Horton reminded the seminar attendees of our information sharing policies, and the penalties for violating them.
Dr. Horton encouraged staff members to reach out to her ([email protected]) or her management team ([email protected]) if they had any post-seminar questions about the data breach or what to say to customers.
The downloadable handout below details scenarios of what to say when customers inquire about the data breach.
Horton outlined what some of the current laws surrounding security breach notifications. Our company is required by law to notify our customers who were impacted by the data breach because it involved access to PII by unauthorized individuals.
By Michigan law, we were allowed to delay communicating the breach to customers until we understood the entire scope of the breach and restore the databases and servers affected. After that has been completed, we are required to provide notice to our customers without any unreasonable delays.
How we are required to communicate the notice to customers can vary. We could either provide a written notice sent to their address, an electronic notice (if the customer consented to receive electronic notices), or a phone call.
The notice is required to:
- be written clearly
- describe the breach using general terminology
- describe the type of PII that was accessed
- detail what was done to remediate
- provide a phone number to call for additional information
- remind customer to be vigilant of potential identity theft situations occurring
How to Handle Customer Questions
When interacting with customers, it is important to remain positive, empathetic and professional. Horton explained that customers would be anxious, concerned and furious. They will have many questions and will want assurance that their data is safe. Horton shared, "First and foremost, they [customers] want to be heard. Listen to everything they have to say and let them know you understand their frustrations and concerns." It is also important not to get impatient with customers, as some will have a lengthy list of questions.
If a customer becomes verbally hostile or throws a tantrum, route them to our HR hotline 555-555-1010.
Helpful phrases to use with customers are:
- "Protecting your information is important to us and our number one priority."
- "We are doing everything in our power to keep your information secure."
- "We apologize for any inconvenience this may have caused you."
If a customer wants information about the specifics of the data breach, only share what was communicated in the company public statement. Do not share additional information, as this would be a breach in confidentiality.
Horton reminded the seminar attendees of our information sharing policies, and the penalties for violating them.
- Staff members are not permitted to express personal opinions about the data breach to the media or reporters, or in any other official capacity.
- Staff members are not permitted to make promises or extend product discounts to customers without written permission from HR.
- Staff members outside of the public relations team are not permitted to make official statements on the company's behalf regarding the incident.
Dr. Horton encouraged staff members to reach out to her ([email protected]) or her management team ([email protected]) if they had any post-seminar questions about the data breach or what to say to customers.
The downloadable handout below details scenarios of what to say when customers inquire about the data breach.
![](http://www.weebly.com/weebly/images/file_icons/readme.png)
handout.docx |