Data breaches continue to headline the news, and it’s likely to get worse before it gets better. The invasion of consumer technologies in the workplace promises to put more data at risk than ever before. There’s a growing tendency for Boards of Directors to become involved when a breach occurs. An event puts the organization at risk; industry and government regulators may get involved, the corporate reputation can be damaged, and fines and fees can be quite high.
A 2011 joint research study by the Ponemon Institute and Symantec Research showed that the average cost of an event has reached $194 per breached record, and the average organizational cost per data breach is $5.5 million. That kind of money will get the attention of practically any board.
Something that can be even more damaging than the outlay of money for fines and fees is the erosion of trust in a company once it has sustained a data breach. A recent survey of more than 2,000 people conducted by Check Point Software and YouGov reveals that 50% of those surveyed said their trust in government and public sector bodies was diminished as a result of ongoing breaches and losses of personal data over the past five years, while 44% said their trust in private companies was reduced. What’s more, 77% of respondents said they would actively prefer to buy goods or services from a company that had not suffered a data breach, in preference to buying from a company that had suffered one. When customers stop buying, stock values can plummet.
A few months ago I advised readers how to put together a plan to respond to a data breach. Much of the advice came from the Online Trust Alliance 2012 Data Protection & Breach Readiness Guide. Having a good response plan is important, but there are preparatory things an organization should do even before a breach ever happens. Taking care of these actions now can help limit the damage from a breach, when or if one should occur. I’m talking about identifying and possibly contracting key service providers or agencies that will need to be called into action quickly once a breach is suspected or reported. These key service providers include:
- An investigation and forensics partner
- A privacy law firm with experience in data breaches
- A breach notification partner
- A crisis communication team
- A company for credit monitoring and identity theft management
While it may not be necessary to sign contracts with these service providers ahead of any need for them, it’s helpful to know precisely who you will call if/when the need arises. However, keep in mind that some companies, especially the investigation companies, give preference to the clients who put them on a rapid response contract. Also, you may find that multiple services can be provided by a single source. For example, a privacy law firm may also be able to handle the breach notifications since they are largely dependent on state laws.
Let’s look at each type of service provider and what they can do for you.
An investigation and forensics partner
In the event of a complex breach such as a hacking attack or insider data theft, you will need to mobilize an external investigation team quickly. Fast action is required to prevent further data loss and to preserve evidence of what has already happened. The investigators will want to get a copy of the systems that are thought to be compromised to perform their forensic analysis before any evidence is lost. This critical partner should have the expertise to try to determine what happened and how, and to what extent data has been compromised. It’s essential to get to the heart of what happened so you can repair your systems and plug the holes that could lead to ensuing breaches.
A privacy law firm
Even something as simple as a lost USB stick containing sensitive data may stir legal action. It’s advisable to contract a law firm that is familiar with the variety of state and federal privacy laws, and perhaps even international laws if private information belonging to other countries’ citizens is involved. For example, privacy laws in the European Union are quite strict and a data breach is a serious offense.
The law firm’s responsibilities include looking out for your company’s legal interests in the wake of a serious data breach. According to the firm Hunton & Williams, legal areas implicated by information security breaches include privacy and information management; government and internal investigations; and corporate governance and SEC compliance.
Your legal partner also should act as your liaison to agencies such as the FBI, the U.S. Secret Service, the Federal Trade Commission, and other agencies with a vested interest in data exposure.
A breach notification partner
In the absence of a single federal law governing breach notification, 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands (at this writing) have enacted their own legislation requiring notification of security breaches involving personal information. (Get a list of the state security breach notification laws here.) As you can imagine, it can be overwhelming to know the details of each law, who you must notify, when you must send your communications, what you are required to tell them, and whether you are required to do anything for individuals whose data may have been compromised (such as provide credit monitoring). This is why you want to contract a knowledgeable partner for breach notification. (This may be a service you can get from your legal partner.)
A crisis communication team
Unless your company is rather large and regularly has to explain bad news to shareholders, your internal communications team probably isn’t experienced with crisis communications. There is an art to knowing how to publicly discuss bad news like a data breach. You will want to engage a crisis communications team that includes a spokesperson trained in media and who has a deep understanding of operations and security. This team is likely to face some harsh questions from the press and the public. What’s more, the communications team will be distilling information from the forensics investigators to explain, in layman’s terms, how the breach happened and what is being done to mitigate the situation. You don’t want to sugarcoat the event, but you need to communicate carefully to avoid further liability.
Credit monitoring and identity theft management
Many of the data breach laws require that the breached company provide credit monitoring and/or identity theft management services for a year or more to individuals whose personal information may have been compromised. This is especially important in cases where data was deliberately stolen, as hackers will be looking for ways to monetize the purloined data as quickly as possible.
Utilizing the services I’ve mentioned above will help preserve customer trust, reputation and brand loyalty, and may help to minimize the impact of fines and lawsuits. Depending on the circumstances, these professionals may help to establish culpability on a third party’s part, hopefully reducing your own company’s liability for losses.
Make no mistake; the stakes of a data breach can be quite high. You need professional help to get you through such an event.