Are You Breach-Ready? 5 Breach Survival Tips From Brad Serwin Of Glassdoor

By following these 5 lessons, your company can better handle any breach, from large to small, more effectively.

According to published reports by security industry professionals, over 70% companies will likely suffer a breach this year. And certainly, these breaches may be expensive. During his career Brad Serwin, currently Glassdoor general counsel and previously senior vice president/deputy general counsel of eBay Inc., has helped companies respond to two breaches — one very large, one more modest. From his unique experience, Serwin shares five lessons for legal departments and general counsels responding to a breach.

Secure the Human First

People don’t realize how important they are when it comes to preventing and responding to breaches. They must be trained not to click on suspicious links and watch out for Internet strangers. They should also learn easy prevention measures such as looking at URL extensions and checking for digital certificates (padlock symbols in URL bars). “It is a good idea to gamify the experience,” says Serwin. “For example, at Glassdoor we have company-wide security tests. We actually publish how many wrong answers everyone VP-level and above gets.” Serwin also recommends investing in talent to respond to a breach. “Secure people who can help to respond to a potential breach before the breach occurs,” he explains. “You most definitely don’t want to negotiate an engagement letter as soon as the breach occurs. So, it is a good idea to have multiple retainer letters in place (such as counsels, security experts, and crisis communication professionals).” Finally, consider what your cyber insurance coverage is and identify the procedures you must follow. By having everyone on board and coordinated, breaches may be prevented and, if necessary, handled quickly and effectively.

Learn and Adjust from the “I Guess This Won’t Work” Moments

Tabletop exercises are a must and will lead to great learnings. As you go through these exercises, you will most definitely identify valuable “I guess this won’t work” moments. “For example, you may learn that for many organizations, sending 100 million emails takes up to two weeks,” explains Serwin. “That means it is impossible to immediately send this many emails to users of a large platform.” Serwin also emphasizes the importance of exploring all localization requirements on the table. “If you have users in other jurisdictions, consider how long it take for you to make the message locally compliant and appropriately translated,” he adds. “This is also an opportunity to consider how you can help your users reset passwords without using potentially compromised data and how to notify your users properly after a breach.”

In a Moment of Crisis, Your Message Should Build Trust

Serwin also emphasizes collaboration between legal and communications. “I highly recommend that all general counsel befriend the head of communications and work with them regularly,” recommends Serwin. “Lawyers have much to learn from communications professionals.” The most important message to communicate during a crisis is trust. “Your communications in the middle of a crisis are crucial,” explains Serwin. “They need to add trust and credibility that everything is handled, secure, and under control. Your users, regulators, and employees need to know that you have a process and will do the right thing.” If your message does not add to trust, you should reconsider your wording.

Sponsored

Resist the Urge to Give Details Too Soon

The bottom line is that it takes time to understand what is happening and what to do about it. “You get no points in the long run for being early with incorrect information,” says Serwin. “In fact, early incorrect information can and will be used against you. It will make you look incompetent at best and deceiving at worst. So share only once you are sure and until then, be honest about what you do not yet know.” Serwin maintains that transparency is the best policy. “If you are still investigating and don’t know all the answers, then go ahead and say that,” he explains.

Don’t Let Your Board Find Out about the Breach from the Press

“Your board does not like surprises and will most definitely not like finding out about a breach from a reporter’s interview request or social media,” warns Serwin. “It is important that you work with other executives to notify your board soon after the incident.” Make sure that the board knows of the breach, then share your plan to address the breach. Serwin also notes that there can actually be a silver lining to having to notify your board of a breach. “This may be an opportunity for your executive team to showcase its competence and preparedness,” he shares.

Although no company wants to experience a breach, Serwin knows from experience that at even the biggest and best companies, breaches are eventually inevitable. The difference between a catastrophic breach and a well-handled one is your preparation and response. By following these five lessons, your company can better handle any breach, from large to small, more effectively.

Sponsored


Olga V. Mack is an award-winning general counsel, operations professional, startup advisor, public speaker, adjunct professor at Berkeley Law, and entrepreneur. Olga founded the Women Serve on Boards movement that advocates for women to serve on corporate boards of Fortune 500 companies. Olga also co-founded SunLaw to prepare women in-house attorneys become general counsel and legal leaders and WISE to help women law firm partners become rainmakers. She embraces the current disruption to the legal profession. Olga loves this change and is dedicated to improving and shaping the future of law. She is convinced that the legal profession will emerge even stronger, more resilient, and inclusive than before. You can email Olga at olga@olgamack.com or follow her on Twitter @olgavmack.