Have you ever been concerned about when to report a computer intrusion? Since my original post, I have had a number of questions about whether and when a company must or should notify its customers that personal identifiable information or credit card information has been stolen. This is an important question for all companies that store customer information and are connected to the Internet. In addition, according to a recent study by the Ponemon Institute, which specializes in computer and privacy issues, data theft is growing “more frequent, more severe, and harder to detect and and stop.” In other words, there are more bad guys on the Internet than ever before.
The easy answer as to when a company should inform its customers is for a company to send out notifications as soon as possible so the affected individuals can take prompt action to protect their information such as by notifying their credit card companies or changing their user passwords. However, as two recent cases suggest, the easy answer is not always the best answer. On June 13, 2011, a federal court held Conamerica liable for data breach losses even though it notified its customers and stopped all account activity within six hours. Conversely, Citibank may have been justified in waiting nearly a month to begin notifying 360,000 customers of a breach.
According to court records, the trouble in Conamerica began when a controller of a small company responded to what appeared to be an email from the bank by providing confidential login information. The information allowed the bad guys to steal almost $1.9 million out of the company’s account and transfer the money into accounts in China, Estonia, Finland, Russia, and Scotland. It took the bank 6 hours to notice the fraudulent transactions, notify the customer and stop the transfers. Despite the relatively quick action by Conamerica, the court held that the bank was responsible for the $560,000 that was not recovered because the bank didn’t act in “good faith.” The court stated that “a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”
In contrast, Citigroup only began notifying 360,000 of its customers more than three weeks after their information had been compromised. Citigroup has claimed that it took this long to analyze the lost data and that it intends to repay its customers for losses they may have suffered. While the jury is still out as to whether Citgroup acted in a timely fashion, there is an argument that, in situations similar to Citigroup, a company should be allowed to conduct a forensic investigation, which can take weeks, before it must notify its customers. In other words, there is no one size fits all way to act.
Given the great deal of uncertainty in this area, how should a company which is the victim of a computer intrusion respond? While the timing of notification may differ, a company must be prepared to immediately stop any ongoing intrusions that may be causing additional damage to the system. Once the bleeding has been stopped, a company must then be prepared to move swiftly to assess the damage and notify any customers who may suffer further harm if immediate notification is not given. This may mean that the IT department and outside computer experts be prepared to work on a 24/7 basis. If it is determined that additional damage is unlikely, a company should undertake a forensic analysis with the goal of determining which customers have been victimized as quickly as possible. Notifying customers before all the facts are known can lead to more problems including having to deal with a public relations nightmare.
The bottom line is that if a company waits until it has become the victim of a computer intrusion to decide how to respond, it has waited too long. A company should have in place a computer security plan that clearly sets forth how it will react if its computer security breach has occurred.