Data breaches are happening with regularity and many tough lessons have been learned by companies that have dealt with the ambiguity inherent in determining the scope and scale of a breach and the customer and consumer concerns regarding having personal data stolen. Since no two data breaches are the same, there is a different response for each situation. However, there are a number of best practices that have been identified to mitigate the reputational damage. The following is a list of steps to take to help guide your organization’s data breach response plan.
- Proactively designate a lean team with all functions covered – The best approach to resolving a data security breach quickly and comprehensively is to ensure that there is a small, well-briefed team with decision-making authority that meet regularly to update each other with the latest information and collaborate on the next steps, taking into account all of the different audiences and priorities in the situation. While every organization will build this team in accordance to its own culture, core functions should include:
- Consumer affairs
- Human resources
- Board of Director liaison
This team should be identified and work together prior to any data breach issue,either on existing operational issues or with a simulated issue. All necessary outside consultants should be identified and introduced to the team. This is one of the most significant benefitscited if and when a cybersecurity issue occurs.
- Base decisions on the best interests of your customers/consumers – Data breaches create substantial concerns from your customer base and the most important action you can take is to alleviate concerns as quickly as possible. The process is to share what action took place, what information was acquired, what actions are being taken to protect customers and what actions are being taken to protect the data in the future. While there has to be reasonable approach to what information is shared, the emphasis should be on greater transparency, rather than less. Along the same lines, all reasonable efforts should be taken to protect your customers and consumers (e.g., IDCheck) to the greatest extent feasible.
- Communicate appropriately, not urgently – While there are many reasons to disseminate data breach information as quickly as possible, there can be significant setbacks in communicating too early. There is a vital need to provide accurate information, rather than speculation. It can create greater panic among your key stakeholderswhen incomplete or unconfirmed information is released prematurely, especially if there is a reason to clarify in the future. It is likely that multiple announcements will be required, and there are at least two announcement milestones:
- First announcement – Detailing what is known about the data breach, what immediate actions need to be taken and announce the forensic study
- Forensic results – Announce the findings of the completed study, what data breach management actions have been taken to customers/consumers, what actions customers/consumers need to take and what safeguards have been put in place.
- Communicate to all audiences simultaneously with the same information – When you are ready for external communications, make sure that you have identified all key audiences and the most effective method of communicating with them. This may take preliminary work to ensure that contact information is complete and accurate.Once you are ready to go, take care to ensure that the same information is being provided to each audience. Developing materials from a central message document and adapting them for each audience, rather than providing a single document for employee adaptation will minimize the message deviation and reduce confusion.
- Provide the appropriate resources – A data breach situation is a significant business risk and there is great value in resolving the situation as quickly as possible. While data breaches often cost more than what was originally anticipated, many companies that have negative experiences with data breach issues have found that it was due to a lack of attention when it first occurred. Provide the financial and human resources needed as quickly as possible in order to restore customer trust. Short-term investments in data breach management will help drive long-term revenue as it enables a company to more quickly get back to business as usual.