IAPP Global Privacy Summit, 3/8/12 1

Joanne McNabb, CIPP/US/G/ITChief California Office of Privacy Protection

Lisa SottoPartner & Head, Privacy & Information Management PracticeHunton & Williams

Susan GrantDirector of Consumer ProtectionConsumer Federation of America

2

Session Outline

• Cost of a Data Breach• Bad Communications• Better Communications• Making Amends• Communications & Litigation

3

Entrust Survey Reveals RSA Data Breach Undermines Confidence in Hard Token Authentication

SecurID Company Suffers a Breach of Data Security

Sony Data Breach Exposes Users to Years of Identity-Theft Risk

Congress Probes TRICARE BreachBipartisan Effort to Learn More About Massive Incident 4

Breach Cost by Activity

5Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach

Lost Trust = Lost Customers

6

Some industries suffer more than others.

Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach

Breach Impact on Reputation

7Ponemon, Reputation Impact of a Data Breach, November 2011

8

Notification Timing Issues

• Not too soon, not too late.• Consider delivery date.• Avoid multiple flights of notices.

9

Notice Issues

• A legal notice? A communications piece? A marketing tool?

• Tone– What NOT to say– Who’s it from?– Addressed to whom?

10

11

• User name • Email • ENCRYPTED

billing address• ENCRYPTED

credit card info

Why??

Huh?

EXAMPLE OF A NOT GREAT NOTICE

12

13

BEFORE 351 Words, 12th Grade AFTER 224Words, 8th Grade

14

15

16

Good Communications Strategies

• Outside communications firms• Internal folks to train• Employee communications• Regulator communications• Media

17

18

Making amends

Tips for Yom Kippur

• Accept that you screwed up.• Express sincere remorse for your actions.• The other person may not be able to accept

your apology.• Where possible take action to restore what

was lost.• Reflect on what you’ve learned.

19From Twin Cities Hub for Jewish Stuff

Choosing a Make-Good Product

• Should you provide an identity theft service?• If no, what else could you do to help your

customers?• If yes, what type of service would best fit your

customers’ needs under the circumstances?• What should you look for and what should

you avoid when choosing a service?

20

21

Communications Before & During Litigation

• A contrite word may forestall litigation• Before litigation, don’t think like a litigator• If you offer a gift card to one unhappy

customer, be prepared to offer one to all in settlement of an action

• If litigation is inevitable, vet all communications through the legal team

22

References & Resources

• California Office of Privacy Protection, Recommended Practices on Notice of Security Breach (1/12), www.privacy.ca.gov/business

• Consumer Federation of America, Shopping for ID Theft Services, at www.idtheftinfo.org

• Plain language resources– www.plainlanguage.gov– www.transcend.net/library/tools.html

23

What to Do Next Week

• Review “Shopping for ID Theft Services” and select product(s) for future use.

• Review your breach notice templates. Share plain language resources with your communications people .

24