In the wake of every hack (and every second and one yard in the Super Bowl) there is a stream of criticism from Monday morning quarterbacks about what should have been done. (Handoff to Marshawn Lynch, maybe?)
But in many ways, Anthem Blue Cross did the best they could, considering the situation.
There are several things you want to do if you have a data breach. The first is, of course, don’t have a data breach. The second is, if you DO have a data breach; make sure that there aren’t too many records breached. The third is, if there are lots of records breached, make sure that they don’t contain sensitive or personal information. The fourth is, make sure that the records are not the kind that require you to make a notification.
OK. So there’s that. The thing about preparing for a “worst case” scenario is that the worst case is likely to actually happen. So now that the breach happened, how did Anthem respond?
Pretty well.
The basic rules for damage control in data breach incident response are:
1. Get the news out yourself
2. Get the news out from the right person/right level
3. Get the news out early
4. Get as much news out as you can
5. Get help
6. Fix the problem for your customers
7. Keep them updated
1. Get the news out yourself
In all of these, Anthem did a pretty good job. From all reports to date, Anthem noticed the breach themselves, and reported it quickly to both the FBI and then to the public.
They did not hesitate. This is a sign of a mature incident response plan. They had the names and contact information for the relevant people at hand, and likely had a relationship with the long before there was an incident. They didn’t wait for someone else to tell the story – they told it themselves.
2. Get the news out from the right person/right level
This was a massive breach. Both in terms of sheer numbers and potential impact. It’s a big deal. Anthem’s notice came from their CEO – which was undoubtedly the right level for a breach like this.
If you have the CEO of a multifaceted organization notify about a minor or focused breach, it elevates the perception of its severity. If, on the other hand, you have a low level technical employee as the front person for a major breach like this, it says that you don’t care. The right response from the right person is critical. The tone, tenor and content of the breach notice are also important, for both public relations and legal purposes. How do you get it right? Practice, practice, practice. Have scripts prepared in advance for most contingencies.
3. Get the news out early
The number one criticism of data breach notifications is that companies don’t make them quickly enough.
It’s really not a valid criticism in most cases, but people tend to be outraged. “You knew about this for SIX days and didn’t say anything?!?”
With data breaches, the faster the better. Unless it’s too fast. If you give inaccurate information in the interest of being fast, that can be worse than being right and late. And worse, what happened to the VA. The provided notice of a data breach involving millions of veteran’s health records (mailing notices from IRS offices because they were the only ones equipped to send out millions of letters) and later found the computers with the records untouched. Oops. Never mind. So fast and accurate is good.
4. Get as much news out as you can
Anthem sent out the standard “Otter” letter, from the movie Animal House. After destroying Flounder’s brother’s car, frat President Otter consoles Flounder by saying, “You F’d up…. You trusted us.”
In data breaches, the standard Otter letter starts out, “Dear Valued Customer. The privacy and security of your data is important to us. We engage in great efforts to protect your sensitive data. Unfortunately….”
And then you can add the language from Animal House. The notice did say what types of records might have been affected, and what Anthem was doing to mitigate the damage. It was very light on technical details, which is appropriate from a missive from the CEO, but could (should?) have been followed with a more technical briefing.
How do you THINK they got in? How do you think they got the data? How long have they had it? Was this an insider or outsider? What’s the evidence to date? If you can do so without compromising the investigation, provide as much of that data as possible.
5. Get help
Anthem appears to have done that. They brought in both the FBI and a security consultant. Good idea. Have the security incident response team already on retainer, and let them become familiar with your people, processes and architecture before a breach.
That way they don’t have to learn this at 3AM. Have them help create and test your incident response plan. You don’t install fire extinguishers when the fire starts, do you? Help comes in lots of places. Consultants. Lawyers. PR experts. Crisis communications. Insurance claims processors. Technical help. Vendors, suppliers, etc. Regulators, law enforcement and sometimes even intelligence agencies. Data breach notification and remediation experts. Get help.
6. Fix the problem for your customers
The customer wants to know what THEY have to do, and what YOU have done for them. In this case, Anthem is starting to offer credit-monitoring services. For what it’s worth. And they went to the dark web to see if the data is being sold.
Threat intelligence can help figure out what’s being done with the stolen data, and look for it to reemerge. This can help find out who did it. Make sure your customers understand that YOU are a victim too, but also that YOU are looking out for THEM. You will make it right.
7. Keep them updated
The victims want to be part of the solution. Well, some of them do. Sometimes. Keep them updated on progress. Anthem created a webpage and toll free number. Let’s see what they put there in coming days.
OK. So that’s the good. The bad news is that there was a breach of 80 million records, and it included SSN’s and financial records as well as names and addresses.
Bad stuff. Which can be used for bad stuff. So far, it looks like Anthem did a pretty good job of security, but that the attack (possibly Chinese, but who knows at this juncture) was both very sophisticated and persistent. Contrary to published reports in the LA Times, encryption probably wouldn’t have helped, although data segregation, multifactor authentication, field masking or Data Loss Prevention might have. Might have.
The good news? Anthem has 80 million customers. For now.