KANSAS CITY, Mo.—It’s no longer a matter of if electric cooperatives will experience a security breach but when, according to cybersecurity experts at NRECA’s Co-op Cyber Tech conference. So, how should co-ops inform members when the moment comes?
Jerry Beckley, vice president of computing and information technology at Mayfield-based West Kentucky Rural Electric Cooperative Corp., told attendees at a May 18 session that “there are no hard and fast rules about communicating a data breach to your membership; each breach is different.” He offered practical guidance for co-ops.
First, be clear that a cybersecurity breach is “the unauthorized access, disclosure, or acquisition of sensitive or confidential information by an individual, group, or organization” due to hacking, theft, human error, or other reasons, and can result in financial fraud, identity theft and additional problems, he said.
Every co-op’s situation will be unique, but being timely, transparent and truthful about a breach is paramount to member trust, he said. It also gives members a heads-up to take steps to protect their personal information.
Beckley said while divulging a data breach could result in legal liability and reputational harm, not doing so carries greater concerns, such as:
- Loss of members’ trust and loyalty as affected individuals feel betrayed.
- Fines or significant penalties for noncompliance in areas with notification mandates.
- Increased vulnerability to those unaware that their personal information has been compromised.
- Risk of members learning of a breach through the media or other means.
“Overall, the potential cons of not communicating a data breach outweigh any perceived benefits,” he said. “It is generally considered to be the responsible course of action to communicate a data breach to affected individuals in a timely and transparent manner in order to minimize the risk of harm and maintain trust. In some states, it is required.”
Completing the following tasks before communicating a breach, he said, can make the process efficient:
- Get all the facts about the incident—who, what, when, where and how.
- Establish a clear line of communication and determine who will be “the face of the co-op” to media and members.
- Align digital, print and verbal responses.
- Inform all co-op employees and prepare them for how to handle any inquiries.
“You need to prepare your staff,” he said. “The phones will be ringing and members will be coming into the office. Give your MSRs a script. Everyone is reading from the same sheet of music and if you see Mary at the grocery store, you tell her the exact same thing you’d tell her if she was on the phone.”
He also recommended member communications include an apology and adhere to these guidelines:
- Use clear language.
- Provide guidance.
- Offer support.
- Follow up regularly.
Beckley encouraged co-ops to practice responding to a cyber breach, participate in tabletop exercises and use NRECA cybersecurity tools, including its Co-op Cybersecurity Lexicon, to help formulate a plan.
At West Kentucky RECC, employees prepare communications for various breaches from a stolen laptop to a SCADA (Supervisory Control and Data Acquistion) attack, he said. “Everyone knows their role,” he said. “We want to minimize surprises. It’s easier to be proactive than reactive at the end of the day.”