One deals with identified information-related hazards/risks in one of two ways: you institute controls to prevent the hazard from occurring and you prepare mitigations in case the hazard happens.
Let’s say one of the hazards you have identified is the risk of computer hackers breaking into your system and stealing your customers credit card information. You take a lot of steps to prevent that from happening, but how robust are your response plans (mitigations) if it happens? Once you have credible evidence that your system has been hacked, does your crisis management plan call for you to give your customers early warning of the potential breach, even if your investigation is not complete? Do you have a duty to notify?
Target seems to have notified customers fairly quickly. Not so Neiman Marcus. A malware program was working inside Neiman Marcus from July 16 to October 30, 2013. Neiman was warned December 13 of the breach. On January 1, they discovered evidence of hacking of payment data. On January 6, they learned the hacking involved multiple stores. They disabled the software by January 10. And then told customers about it. After the Christmas holiday season was over. Only a couple of thousand Visa/MasterCard accounts affected. Apology issued January 16. Happy Holidays.
They wanted to get more information first. Didn’t want to worry customers. Not cause a panic. In retrospect, how does it look?
Does your mitigation plan have similar gaps?
“Malware Hid for Months at Neiman,” Wall Street Journal, January 24, 2014 B2 http://on.wsj.com/M4Qut1