The Data Breach ToolKit
The more data intensive a business, the greater is the risk that, at some point, sensitive customer data will be lost or stolen. Managing data security is a major challenge globally but one that is key to maintaining customer loyalty and trust.
To assist you in mitigating these risks, we have prepared a toolkit that includes:
There are two cost elements to consider when it comes to data breaches: the upfront investment to prevent a data breach including technologies, staff time, and other resources and post-breach management when a data breach does occur. The latter is the key in possibly saving your company from significant financial losses.
Because frankly, a data breach will occur at some point to companies both large and small. In fact, any organization can be a target with most notably the financial, healthcare and government sectors being hit hardest. Major breaches can affect thousands to millions of people, which can translate into thousands and millions dollars lost for your company if the incident is not handled properly.
Where to Start
A recent Ponemon Institute report shows that organizations can greatly reduce the cost of a data breach by having a strong IT security posture, a chief information security officer (CISO) and an incident response plan.
Unfortunately, many companies are not as cyber secure as they should be. The study, “Is Your Company Ready for a Big Data Breach?,” showed organizations are not employing essential procedures such as requiring mobile devices to be tested for security prior to connecting to networks or enterprise systems, improving access and authentication practices to make sure that only the appropriate employees and contractors have access to its information systems, and encrypting sensitive or confidential personal and business information stored on computers, among other protocols.
Besides the technology side of it, a company should assess its personnel and employ a role to the level of a CISO as well as appropriate support staff. According to the same study, only 29 percent of respondents say their organization has a department or function designated to manage data breach incidents and of the respondents who do, only 32 percent employ a CISO.
Lastly, having an incident response plan is crucial. A plan can help you act quickly if a data breach occurs and acting quickly can help to prevent further data loss, significant fines and costly customer backlash. The plan should include identifying who is the incident response team lead and members of the team, what their roles would be in the wake of a cyberattack, and what outside partners should be contacted, among other steps. For a useful tool to get started on your plan, download a free Data Breach Resolution Response Guide.
Key Financial Factors. There are elements of a data breach response plan that, if not executed properly, will directly affect your bottom line. These factors include navigating the legal landscape and communication to affected parties and the media, which can make or break your reputation. The study, “Reputation Impact of a Data Breach,” shows reputation is noted as one of an organization’s most important and valuable assets. The value of that reputation based on an estimate among nearly 850 executives surveyed was determined to be an average of $1.5 billion. With these elements in mind, the following are additional key tips to mitigate the financial impact of a data breach:
Engage outside counsel – Enlisting an outside attorney is highly recommended. No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated. Unless internal resources are knowledgeable with all current laws and legislations, it is best to engage legal counsel with expertise in data breaches to help navigate through this challenging landscape to avoid regulatory fines and potential class-action lawsuits.
Communicate to customers – Companies should put customers at the center of decision making following a data breach. This focus means quick and clear communication about the breach and providing some sort of remedy, including call centers where consumers can voice their concerns and credit monitoring if financial, health or other highly sensitive information is lost. A Carnegie Mellon study, “Empirical Analysis of Data Breach Litigation,” found that providing credit monitoring to victims after a data breach makes a company’s risk of being sued six times lower than if they do nothing – even in cases when a victim has suffered financial harm as a result of the breach. If you satisfy your customers, they will likely not take their business elsewhere.
Consider cyber insurance – With the increasing cost and volume of data breaches, cyber security is quickly moving from being considered by business leaders as a purely technical issue to a larger business risk. Cyber insurance coverage can include forensic investigation, outside consultants and business interruption coverage that allows a company to receive payment reimbursement for expenses incurred due to loss of business if a data breach incident prevents the company from operating. It also helps a company become better prepared overall. According to a Ponemon Institute study, “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age,” 62 percent of respondents surveyed believe the insurance has made the company better prepared to deal with security threats.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.
In the latest Ponemon Institute survey, “The Aftermath of a Mega Data Breach: Consumer Sentiment,” conducted on behalf of Experian Data Breach Resolution, the survey reveals how passionately consumers feel about data breaches, and it’s a call to action for businesses to adopt some best practices to help consumers (and the companies) in recovering from a data breach.
The majority of consumers believe companies should be required to provide protections to help them in recovering from a data breach. Nearly half of breach victims fear their identities will never be safe again, and – perhaps most disheartening – most of them feel that breached companies will be responsive to victims only if detailed media coverage pressures them to be, according to the Ponemon survey.
- Compensate customers caught in the breach. Sixty-three percent of those surveyed said organizations should be obligated to provide identity theft protection in the wake of a breach, 58 percent wanted credit monitoring services and 67 percent wanted compensation such as cash, products or services. Sadly, only a quarter of respondents who’d received a breach notification letter in the past year said they were offered an identity theft protection product. Clearly, there’s a disconnect between what consumers want and what companies are doing. Offering compensation builds goodwill and can help consumers stay protected after a data breach.
- Emphasize good communication. Across the board, survey respondents wanted better communication, including 67 percent who said they craved notification letters that explained the risks and possible harms in clear, easy-to-understand verbiage. From the initial contact of the data breach notification letter throughout the process of recovering from a data breach, communicate as proactively and transparently as possible.
- Focus on customer retention. While most survey respondents said they didn’t terminate their business relationship with the breached company, they didn’t stay because they were happy with how the company handled the breach. Rather, they remained largely because it was too much trouble to go elsewhere. Of those who did leave, more than half said nothing the company could have done would have convinced them to stay. But nearly the entire other half that left said a sincere and personal apology would have been enough to keep them. In addition, 41 percent would have stayed had they been offered identity and credit monitoring. Clearly, customers feel under-valued when they’re recovering from a data breach. Emphasize retention tactics, such as compensation, enhanced communication and appreciation products or services.
Finally, be sure your data breach recovery plan is vibrant and ready. These best practices can help ensure that both consumers and breached companies have optimum success in recovering from a data breach. To learn more about the potential impact of a data breach and how consumers feel about it, download the full survey.