Preemptively, I'd like to flag that we should connect around strategy if it's appropriate for all WordFly-based orgs to reach out to our patrons about the ransomware data breach.
I have absolutely nothing deeper than that to say yet, but it occurred to me earlier today that, should we need to do this, a good number of tri-state area people may suddenly be on the receiving end of dozens of alarming notifications and make the issue feel even larger. A coordinated notification may be a better approach.Should today's Town Hall reveal that we ought to pursue this, we'll spin up an initial Zoom or something along those lines.Please go ahead and use this thread to note ideas or even just interest.CC: to the NJ folks, Howard Levine and Mark DuBose
FTC would be open to this. I don’t think we have an effective way of communicating before we get our unsubs from WordFly -- they were our primary Unsub DB for marketing. Tessitura drops too much info/isn't reliable. Even with another ESP our hands are a bit tied.
On the town hall - attended the 9AM, wasn't much more information.
POP had their lawyers present and they mainly clarified their position. POP/WordFly seems that it didn't trigger a need to notify customers under GPDR which would far overshadow nearly any other US Law (at least that I can think of).
Thank you, Jamie, for getting the thinking started on that! I do hope that won't be an issue, but appreciate and agree with the need for coordinating our messaging if we do.
Christopher Sherwood said:seems
Have been wondering about this same thing on behalf of the Westport Playhouse. Following!
I had not been thinking we need to notify patrons, but one element of concern after the Town Hall is we did map donor giving levels, for purposes of dynamic content. So theoretically, if I'm understanding it correctly, that mapped data could be part of the breach, and thus a donor's individual contribution total could be breached info as well.
Does that sound correct, based on what everyone heard? Is anyone else in this boat? I'm still not clear if we should notify people, since the actual financial transaction details weren't compromised (i.e. payment info) - and I'm afraid to cause a needless panic because I fear patrons won't understand the difference. But I also certainly want to be transparent for our patrons if there is any reason they should be concerned.
Post-call and post-debrief with colleague, my takeaway is that we need to see the written materials that are forthcoming from WordFly as well as initiate internal conversations about liability ramifications and customer service intentions. This suggests to me that a call for us is likely useful, so that, at the very least, we have a general awareness of how many of us have decided to alert patrons. I'll identify a time and a Zoom for the second half of the week so we'll have a bit of time for internal conversations.Counterpoints/ideas welcome. I know how to facilitate spaces, but am unversed in cybersecurity response.
That would be included, yes.
Very happy to participate in a call. Is anyone notifying legal counsel or insurance providers?
Joined to note that I just posted a similar query on the New England regional board - link below. I agree that there is value in understanding how organizations with coordinating constituent bases will be responding to this. I would be interested in being somewhat in the loop on these discussions in the New York region since it bumps up against New England.
community.tessituranetwork.com/.../possible-communications-coordination-on-wordfly-data-breach
Good morning (or, here's hoping it is) -
As we wait / begin to have more informed internal conversations, I thought a form-based way of indicating notification thoughts would be practical.
If you're able to weigh in, please note your current intentions here: https://forms.gle/Tk5ZXo9TJ9ciAJt6A
Please note that this is nothing more than a quick and casual tool for temperature taking; it's nothing official, nothing binding. Graphs are simply better options for quick review than email threads. Most likely, I expect this to be something we can look at during the beginning of a call, but we'll see where the week takes us.
If your organization has more than one person actively following this, please decide which one of you should respond so there aren't duplicates. However, should you need to update a response later this week, please feel free to do so--I will do a quick filter/duplicate removal before building graphs.
Thank you, Jamie! The response choices did not really align with what we're thinking so I wanted to share that here:
Our thought is that it's too soon to notify patrons, as the investigation is ongoing. We feel that if and when we do, Wordfly should be leading that messaging, as it was their data breach. The language should come from them, at least in part. And since the compromised data was not personally sensitive, we don't want to rush to notify and potentially alarm them when we don't yet have all of the information ourselves yet.