Case Study: Boss, I think someone stole our customer dataBY-Sumit AnandPriyanka MahapatraAmeeya MishraTushar GuptaBrief OverviewAbout Flayton ElectronicsKey People:Brett - CEOLaurie Benson-Vice President for loss preventionSergie - CIOSally OConnor Communication DirectorFrank Ardito CFODarrel Huntington Longtime outside Counsel

New Territory in Handling Data BreachWhat do you think data theft is all about?PCINO clear cut crime scene to sweep15% or 1500 cards were found in routine checkPCI- Payment Card Industry4Which are the most vulnerable areas ?Hacked Card ReadersData lines between the stores and the bank being tappedIs Stored Data SecuredInsider jobWork of some one who is recently been firedMistakeTossed a file into DumpsterSecret ServicesKeep this under wraps until we get a full pictureEthical or Not?

6Limited DefensesPCI complaint is complicated75% or so requirements are matchedScanning is not done everydayShould checking be required everyday?

Core Values at RiskCustomers are just wallets or one of the important assests ?Shareholders Value?Myopic about infrastructure Had he pushed too much too fast?

Into the BreachCompromised accounts Increasing > 1500Loop hole in the System Disabled Firewall (Accidental / Deliberate)Firewall part of the Wireless Inventory control system Internal company data were essentially being broadcastedFirewall created problems (Bugs, system crashing after bug fix)Broadcast was short range Perpetrators might be an insider / who have access to system3 communication options:Press conference Most fortnight approachInforming Customers by letters Might create more customer anxiety than Reassurance & make the company appearing as hiding something.Do nothing until Law Enforcement was ready to go Public Easiest in Short term because it put the decision in other handCFO Frank and outside counsel Darrell had a disagreement on whether to disclose the matter public or not.Darrell has a belief that who ever goes public 1st will get sued & theres bound to be a lot of media coverage.Darrell wants the communication manager to be silent to media.One of the affected accounts was of an Tv news reporter.

Brett is unrest over the fact that his fathers decades of work & reputation is on the line.Analyzes the scenario:

Evidence that Breach has occurredTerminated employees might be involved3 out of 6 states need to discloseFeds want normal working conditions & time for catching the perpetetorTelevision personality among victimsProbability of getting sued on discloseIf not disclosed then eventually will leakCompetitor will have advantage with promotionsHe cant look a customer ever squarely in the eye again

Anyhow he wants to overcome this situation real quick.

Case CommentarySuggestion 1 by:Beyond fixing the firms weaknesses in data security, the CEO must develop a brand-restoration strategy.

James E. Lee : is the senior vice president and chief public and consumer affairs officer at Choice Point, based in Alpharetta, Georgia.Suggestion 2 by:You need people on hand with the digital expertise to match wits with tech-savvy cyber criminals.Bill Boni : is the corporate information security officer for Motorola in Schaumburg, Illinois. He is also a vice president and board member of the Information Systems Audit and Control Association, a global organization based in Rolling Meadows, Illinois.

Suggestion 3 by:Making data security a priority for the future and communicating the specific policy changes that Flow from that may allow the company to become recognized as a leader in this area.John Philip Coghlan : is a former president and CEO of Visa USA, headquartered in San Francisco.

Suggestion 4 by:Not alerting customers right away is not the same as doing nothing.Jay Foley : (jfoley@idtheft center.org) is the executive director of the Identity Theft Resource Center in San Diego.