Problem
You are the Chief Information Security Officer (CISO) of JustFax, a credit reporting agency charged with safeguarding the credit history of more than 30-million people. In recent years, JustFax has also become a purveyor of cybersecurity services, including identify theft monitoring. You recently took on the new job after a long period as an information security analyst at a global consulting firm. Although you had some trepidation at first given the frequent headlines of CISOs being fired in the wake of large-scale data breaches, you've been assured that your team is more than capable of handling corporate cybersecurity, and that you have a direct line to the Board of Directors and CEO if you see the need for large-scale changes. Unfortunately, that's not how things have worked out.
It's a holiday weekend. When you get to the office, your staff lead informs you of what appears to be abnormal activity on corporate networks over the long weekend. At first glance, it appears that your traffic flow analysis program raised red flags about the amount of information being transferred during an off-peak time. Further investigation reveals that the login came from a board member, and that the team hadn't want to bother him over the holiday weekend. You immediately call for a meeting with the CEO and Board, but are told that, in fact, you should go through the Chief Information Officer (CIO) first with any concerns. But CIO is out for the day on a family emergency. Without an appointment, you go into the CEO's office to inform her of the situation. Although you can't be sure of the details yet, it appears that a massive breach has occurred using stolen login details from a JustFax board member. The CEO asks you what you'd suggest happen next given that the incident response plan you inherited is five-years old, and includes roles and points of contact that are no longer accurate (for example, JustFax recently transitioned to a Chief Information Governance Officer position and away from a pre-existing Chief Privacy Officer).
Cognizant of recent breaches including Equifax, you are aware that JustFax could face criminal probes and potentially lawsuits, as well as regulatory action from the Securities and Exchange Commission and potentially the Federal Trade Commission. To make the situation more complicated, it appears that information on Canadian, European, and European citizens was also breached.
Given that the CEO is unsure of next steps, she delegates the immediate authority to handle the breach investigation and remediation to you but suggests that you begin by holding a press conference to brief reporters, and through them the general public, on the current situation. In fact, she has taken the liberty of arranging such a press conference for you, which will begin in 30 minutes. No matter how bad the situation is, you know that refusing or saying "no comment" in response to reporters' questions will not play well. You decide to be as transparent as possible, but what should you say exactly?
Draft your statement, and separately analyze your assessment of potential legal liability in this case, along with next steps you would suggest for the organization take.