How/when do you handle bad news?

One deals with identified information-related hazards/risks in one of two ways:  you institute controls to prevent the hazard from occurring and you prepare mitigations in case the hazard happens.

Let’s say one of the hazards you have identified is the risk of computer hackers breaking into your system and stealing your customers credit card information.  You take a lot of steps to prevent that from happening, but how robust are your response plans (mitigations) if it happens?  Once you have credible evidence that your system has been hacked, does your crisis management plan call for you to give your customers early warning of the potential breach, even if your investigation is not complete?  Do you have a duty to notify?

Target seems to have notified customers fairly quickly.  Not so Neiman Marcus.  A malware program was working inside Neiman Marcus from July 16 to October 30, 2013.  Neiman was warned December 13 of the breach.   On January 1, they discovered evidence of hacking of payment data.  On January 6, they learned the hacking involved multiple stores.  They disabled the software by January 10.  And then told customers about it. After the Christmas holiday season was over.  Only a couple of thousand Visa/MasterCard accounts affected. Apology issued January 16.  Happy Holidays.

They wanted to get more information first.  Didn’t want to worry customers. Not cause a panic.  In retrospect, how does it look?

Does your mitigation plan have similar gaps?

“Malware Hid for Months at Neiman,” Wall Street Journal, January 24, 2014 B2

Leave a comment

Filed under Business Case, Business Continuity, Controls, Governance, Information, Internal controls, IT, Operations, Risk, Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s