To: Mr. Bob Turley, CIO
From: Independent Member on the Board of Directors
Date: January 13, 2003
Subject: Actions Following the DoS Attack
As a result of the DoS attack earlier this morning, it is important to assess and address the upcoming actions of our company with regard to customers, procedures, security, and partners. Below I have summarized my suggestions on how to handle these issues and what needs to be done to prevent another attack from reoccurring.
Customers: Do we disclose the attack?
After weighing both the advantages and disadvantages of disclosing the attack to the public, it appears that the best course of action would be to disclose the information to the public. As we currently stand, we do not know if any account information has been compromised; however, if there was a compromise somewhere during the attack, iPremier could face heavy lawsuits. This would be an extremely high cost to incur for the company. Therefore, we need to let the customers know that there was a DoS attack, and that there does not appear to be any compromise of account information. We also need to make them aware that we will be taking to prevent an attack from reoccurring.
It is clear through this morning’s events that we need to reassess and/or implement various procedures in our organization. Below is a summary of these procedures oPublic relations—it appears that there is a significant concern for how we are to defend our reputation in the public’s eye. There is a high probability that the stock price will be impacted negatively by this attack. There should already be in affect a procedure that clearly indicates how to handle these types of situations. oLegality—there is a possibility, although, not apparent as of this morning that account information could very well have been compromised. It is important to be prepared from a legal standpoint on how this will affect the organization....