How should the Flayton Electronics team respond to the crisis? 1. Introduction As information technology (IT) and information systems (IS) improving rapidly, a massive number of business activities can be done by IT and IS. However, it is inevitable that the risks and threats are increasing at the same time. Thus, new kinds of risks and crimes, which mentioned by Choo and Smith, may emerge during doing the cyber events like online payments, auctions, gaming, social networking sites and blogs (Choo & Smith, 2008).Obviously, in Flayton’s case, the company suffering from data breach which happened at the processes of online payments is a typical and common information technology problem recently. Adebayo have defined data breach as well as security breach is an action that disclosing the secure and confidential information to an untrusted environment by an unauthorized individual (Adebayo, 2012). The Data Breach Investigations Report (DBIR) has shown that there were 855 incidents of data breach and 174 million compromised records in the world in 2011, most of which were attacked by hacker and malware (DBIR, 2012).As we can see that the probability of data breach happened in 2011 was relatively high, and what Caldwell predicted that the number of data breaches will continue to rise up in the later years (Caldwell, 2012). Thus, there is no doubt that it will be an enormous challenge for the companies like Flayton Electronics. In Flayton’s case, the data breach informed by the Union Century Bank actually occurred in Flayton Electronics, a 25- year company. Because the young company never encountered such situation, the top management team face the new territory and difficulties, and the whole company were at stake.In this paper, the solution will be provided by the author. On the one hand, there is a debate on whether the company should inform their customers that their data and information had been revealed, if so, when and how to make notifications are of great importance for the reputation of Flayton Electronics. On the other hand, investigation should be done to find out the reason and the crime culprit of the accident, and then it is necessary to fix the problems and clarify the fact to the public. After that, long-term measures of protect the IT/IS security for Flayton Electronics will be set.At last, the compensation for the victims and punishment for the inefficient staffs in the company will be done. Totally, those are the all solutions to the Flayton’s case, and the details of them will be recommended later in this paper. 2. Solutions 2. 1 Communicating to the Customers The most significant decision which may be associated with the reputation of the Flayton Electronics in the future is about the means of reporting the truth of the data breach accident, because different ways of releasing the incident may cause the completely different results.Fortunately, a research conducted by Romanosky, Hoffman and Acquisti which explored two questions “First, what kinds of data breaches are being litigated in federal court, and why? Second, what kinds of data breach lawsuits are settling, and why? ” can be regarded as a useful guide to cope with such confused problem. The results of their investigation of more than 230 data breach lawsuits from 2000-2010 have been shown that the possibility of a company being sued in federal court are 3. times greater when people suffer financial loss, but more than 6 times lower when the company provides free credit monitoring after the breach, and defendants settle 30% more often when plaintiffs put financial damage as a reason from a data breach (Romanosky, Hoffman & Acquisti, 2011). Totally, there are many ways to report the fact of the security breach, some of which have been recommended by the staffs of Flayton Electronics the banks and those experts who commented in this case.However different people hold different views, for example: The Secret Service of Union Century Bank who checked out the data breach in Flayton Electronics required the company keeping the fact under wraps until they nail the bastards who did this; What Darrell Huntington, the long-time outside counsel said is that the entity who discloses the data breach first would get sued, so they should not inform the fact to anyone; Sally O’Connor, the communications director listed three communications options: Holding a press conference soon; informing customers by letter; do nothing until law enforcement was ready to go public; James E.Lee’s brand-restoration strategy asked Flayton Electronics to notify the affected customers quickly, by setting up hotlines, and offering credit-monitoring services; Bill Boni suggested Flayton Electronics working with the Secret Service, but at the same time disclosing the fact in some states; John Philip Coghlan’s solution is to communicate the customers timely by a special web page and exclusive informational events; Jay Foley agreed with Darrell Huntington remaining quiet right now, but his reason which different from Darrell Huntington’s is that Flayton’s recently have no good information to put out.To summary the solutions provided above, though, various range of reasons explained by the experts, there are only two main opposite point of views, remaining silent or telling truth to the customers timely. If Flayton’s keep the data breach as a secret and wait the final result of the investigation by the Secret Service or themselves, it may not easily get sued by customers quickly, and if they get some good information and find out the bad guys, everything will be all right.However, the risk of this solution is relatively high, because the possibility of revealing the secret during long term investigation may be great, and if failed, the damage of the firm is huge. It is not sure that how long could the IT experts find out the perpetrators, which may be never know the reason why data breaching. None of the staffs can guarantee the disclosure of the accident. Besides, to hide the truth is like a way of cheating to their customers.Therefore, taking into account the reputation of Flayton Electronics this method is absolutely not desirable. So, it is necessary that the Flayton Electronics should release the fact to the public as soon as possible. Although, according to Hasan and Yurcik, the reasons why companies not to report breach to the public are that “damage to reputation, loss of current/future customers, and possible lawsuits from shareholders/customers” (Hasan and Yurcik, 2006). A brand-restoration strategy mentioned by Lee should be developed by the Flayton Electronics team.Given the research by Romanosky, Hoffman and Acquisti above, offering credit-monitoring services is quite essential. According to O’Connor’s three communication methods, holding a press conference is a good way to accurately, honestly, and contritely tell the story to the public, but the means to inform the victims not only is to connect by letter, but also are to communication by phone or to visit his house (if he is an important one). However, there is no doubt that the customers who receive the terrible news will get anger.Thus, what Flayton Electronics should do is to calm the customers down and to console them in order to keep them loyal, as Lee suggested “Offer discounts and sales, meet with critics of the company, and develop and promote new web pages that outline reforms in the firm’s policies and practices”. In other words, taking a long-term view, Brett and his team should be patient and put the interests of consumers in the first place. Besides, some potential risks should be analysed and put them in plan.Therefore, it is possible that if Brett Flayton’s team provides a rapid, focused, and effective response, his customers would become the most loyal of all. 2. 2 Dealing with the System and Managing of People At the same time, the company’s IT team should check the whole system and try their best to find out the reason and problem of the data breach. Risks to network security such as, hackers, malware, well-meaning insiders and malicious insiders are most likely affecting to the information system in Flayton’s firm (Bansal, 2010). Firstly, they should repair the vulnerability of the firewall and update the systems.For example, there was a similar case happened in Heartland Payment Systems in late 2008. Because the code of system was written eight years ago without updating annually, the database suffered from SQL injection attack leading to the data breach (Cheney, 2010). Therefore, the systems should be maintained and checked frequently in the future. Secondly, the well-meaning insiders may be the big problems. Cheney showed that 67% of breached records as a result of insider negligence (Cheney, 2010). For Brett, managing his personnel is very essential for the Flayton’s development.As Foley suggest, incompetent staffs like Sergei, the CIO, must be dismissed. In order to improve the staffs’ awareness of IT security, Brett should set the class related to computer security for his employee weekly. Finally, there are two for the terminated employees being mentioned by human resources director, Ben Friedman. Surveys must be done for the two suspicious people. In addition, the firm’s PCI compliance should 100% meet the requirements, so that liability for the data breach could reduce, protection of critical systems is improved, personal/confidential ata would become more safe, and likelihood of a breach could fall down (Woda, 2007). 3. Conclusion A data breach is an incident which confidential data has been viewed, stolen or used by an illegal user. Nowadays, data breach may be in inevitable because of the high speed developing e-business, so some knowledge of preventing and solving the security breach is the necessary skill for the managers. Because lacking the experience and knowledge of data breach, Brett and his team got into trouble. Solutions have been provided in the paper.To summary, the way to connect well with the customers, the surveys to find out the problem maker, the method to maintain the systems in the future and the solution of people managing have been come up with. However, the Flayton Electronics may get sued and the future of the firm still unknown. The primary cause may be the fast development of Flayton’s. There is no doubt that the high speed development would sacrifice the interests of many people, so what Brett should do is changing his strategy to a sustainable development pattern.Here comes the challenge for Brett and his company. Reference Adebayo, A. O. (2012). A Foundation for Breach Data Analysis. Journal of Information Engineering and Applications, 2(4), 17-23. Bansal, S. (2010). Data Breach: Causes, Circumstances, and Remedies. Caldwell, T. (2012). Reporting data breaches. Computer Fraud & Security, 2012(7), 5-10. Cheney, J. (2010). Heartland Payment Systems: lessons learned from a data breach. FRB of Philadelphia-Payment Cards Center Discussion Paper, (10-1). Choo, K. K. R. , & Smith, R. G. 2008). Criminal exploitation of online systems by organised crime groups. Asian journal of criminology, 3(1), 37-59. Hasan, R. , & Yurcik, W. (2006). A statistical analysis of disclosed storage security breaches. In Proceedings of the second ACM workshop on Storage security and survivability (pp. 1-8). ACM. Romanosky, S. , Hoffman, D. , & Acquisti, A. (2011). Empirical analysis of data breach litigation. TPRC. Woda, A. (2007). Achieving Compliance With the PCI Data Security Standard. INFORMATION SYSTEMS CONTROL JOURNAL, 4, 46.