Boss, I Think Someone Stole Our Customer Data

1. Of the four (4) commentaries that follow the case, select the one (1) that you believe to be the best solution to reporting the plan to address the problem and state why
Of the four commentaries that follow the case, the one that I believe to be the best solution to address the issues faced by Flayton Electronics is that of James E. Lee. I particularly liked his recommendations because it addressed all the key areas that are necessary in a risk response plan. Lee’s recommendations are typical of contingency planning; according to Heldman (2005), contingency planning is a form of acceptance because if the risk occurs, you are willing to accept the consequences and devise a plan to deal with those consequences. He is in favor of acting with urgency by addressing the affected parties, as the longer it takes for the company to do this will make then appear less credible.
Lee also recommended that once the risk is discovered, timing is an important element in implementing a risk response plan to minimize damages. This should be in the form of a prompt public disclosure once adequate information has been gathered; brand restoration should be initiated through public statements to help improve the company’s image; toll-free hotlines should be set up to address customers concerns; loyalty incentives in the form of discounts and sales should be given to compensate those customers that still stay loyal to Flayton’s; releasing a formal public relations statement to acknowledge the breach and to assure the public that the matter is being taken care of; finally handling secondary risks that may have occurred as a result of the situation i.e. blogs, social media, faulty media reports, etc.
Lee argued that if Brett Flayton and his team can mitigate the effects of the damage to their brand and reputation, they will be able to rise above the situation despite the fact that it may take them several years to recoup.
2. Prepare a report that responds to each of the proposed actions of the commentary you have selected
MEMORANDUM FOR SECURITY RESPONSE
TO: Brett Flayton Chief Executive Officer Flayton Electronics 1 Technology Parkway Houston, TX 77004

SUBJECT: Customer Data Security Breach
Mr. Flayton,
It has come to the attention of the Security & Loss Prevention department that the security of some of our customer’s credit card information has been compromised. In addition, Law Enforcement and the Secret Service are also aware of the situation and have advised us not to notify the public as yet until they have had a chance to apprehend the perpetrators.
Through the counsel of Mr. James E. Lee, Senior VP of Public & Consumer Affairs, ChoicePoint, and he had a few recommendations as to our best approach.

1. Make a formal public statement once you have obtained sufficient information in order to reassure the affected parties, address their concerns and also to let them know that we are working with law enforcement to identify the violator(s). I believe we should do this quickly given that a media personality is also a victim. The longer we wait to inform the parties we run the risk of them hearing about this from external sources, which will diminish our credibility. Delaying information could also result in more fraudulent charges to the accounts of affected customers and give the impression that we either do not care or are hiding something.

2. Set up toll free lines for customers to call in and get additional information that will help to reassure them that the situation is under control. There should also be recordings that give customers instructions on how to proceed if they have found unauthorized charges on their accounts, and also provide internal contacts information for them to report the matter to.

3. Loyalty incentives should be offered in the form of special discounts, sales, gift cards and reward cash as an incentive to keep customers coming back. In an article by Associated Press reporter, Robertson (2011) despite the prevalence of data breaches, customers still entrust their personal information to retailers. It is understandable that we may lose some customers, however we should compensate all parties for their loss and also give extra incentives to the customers that still stay loyal to us.

4. Handle secondary risks that will arise from the incident, these can be faulty media reports, blogs and social media reports with inaccurate information. Given the far reaching effect these media channels can have, we should have our Public Relations and department Legal department handle this by doing damage control in order to reduce the likelihood of additional lawsuits.

These recommendations will help to bolster the company’s image and maintain the integrity of the brand as well as restore the trust that our customers once had for our entity.

V/R,

Security Management

3. Detail at which point(s) you believe the problem occurred and suggests a safeguard for the future protection of the company
The data breach that Flayton Electronics experienced may have stemmed from several loopholes cited in the case. It may have been caused by someone hacking into the stores card reader system or from the fact that customer’s credit card information was being stored on the company’s computers and showing up on reports when this should not have happened. In order to mitigate these situations, the Security Director at Flayton’s should have a system set up to conduct weekly checks of their security systems to ensure there are no weak areas for hackers to tap into and promptly address any issue that raises a red flag. Also if customer’s credit card numbers are showing up on reports unnecessarily, then IT should have been alerted to help find a fix for that problem, so that the information does not get into the wrong hands.
Another possible cause could have been the employees that were terminated from the company. In order to prevent a situation where a former employee could misuse the privileges they once had with sensitive data, it is prudent to cut off all access to the systems by changing access codes and also blocking the person from coming back to the premises. All employees should sign a data confidentiality waiver and if they are ever found to be in breach of it, then legal action should be pursued against them.
Finally, the breach could also have been caused by the firewall that was disabled for some time and went unnoticed. I would address this problem first by firing Sergei who was responsible for making sure that the software was operational at all times and failed to address the problem with urgency or notify senior personnel of it. I would also ensure that the IT department conducts daily checks of the system to ensure that the company is protected fully from hackers. A communication system would be set up so that all daily/weekly security checks are turned in to the manager who will compile a report that will then be turned in at the end of each week to the new CIO (that will replace Sergei). This report would then be presented at the weekly meetings Brett has with his directors to keep him abreast of what is going on within the company.

4. Suggest a project management plan that will improve the company’s data security.
In order to effectively manage the data security of Flayton’s Electronics, it should be treated like a project in itself, the personnel will consist of the staff from the IT and Security departments. Once the PM has been identified and the scope, objectives and budget have been determined, the PM should seek the approval from the key stakeholders to initiate the project. He/she should then set a meeting with the key stakeholders in order to do a risk assessment, identify critical risks, their potential impact and plan contingencies to address them. Milestones should be set for the project with dates in order to track progress.
An example of these milestones can be to install a new firewall to correct the breach once the project is initiated, the second milestone can be to conduct a test of the system to ensure that the firewall is working effectively. In addition to setting milestones, the PM should also get with the senior team members and create a Work Breakdown Structure (WBS) where responsibilities are assigned to smaller teams. A communications plan should be set up to address what information should be documented and who, when and how this information will be shared. This will help to avoid certain data risks as certain levels of information would not be shared with lower level staff.
The project should be monitored closely to make sure that it is progressing as planned and each time changes are made that deviate from the baseline plan, it should be documented. The project manager should supervise all the team members involved to ensure they are performing at the required level. An audit should be conducted to evaluate the team and the quality of the work done. According to (Kloppenborg, Shriberg & Venkatraman, 2003), a project audit can occur at any time during a project and may even be done earlier in order to provide a measuring stick to see how the project is doing and if necessary make recommendations for changes. Finally, the project manager should also include lessons learned as a task in the project, as this will help other team members in having a guide when embarking on future security projects.

References
Hillson, D., & Simon P., (2007) Practical Project Risk Management: The Atom Methodology. Management Concepts
Kloppenborg, T., Shriberg, A., Venkatraman, J. (2003) Project Leadership
Robertson, J., (2011). Customers stay despite high profile breaches. Retrieved 06/05/2012 from
http://www.pewinternet.org/Media-Mentions/2011/Customers-stay-despite-highprofile-data-breaches.aspx