The year of data breaches: 2014. From Target, to Home Depot to the U.S. Postal Office, it seemed like more companies were having data breaches that ever before. It was a mess.
We’ve learned from their mistakes what to do – and what not to do during a data breach.
Malicious code, phishing, scams and viruses were penetrating the protections in place for many companies. The attack wasn’t on the ground, like most crises – it was in cyberspace. Here is a guide for how to handle a data breach.
- Flag concerns early: hopefully your company has some kind of system in place for sharing security concerns to a central place (if not, read this – link to command center article or rapid response article). And, it is even more helpful if there are some thresholds in place to determine the potential severity quickly. An average phishing scam email or credit card theft should trigger a ringing of the crisis bell; however, a series of attacks that are similar in nature and more widespread or confirmed deployment of a malicious code means its time to pay attention and start the response process.
- Determine impact and escalate quickly: a data breach could mean many different things. But there are just a handful of key pieces of information that spell major concern from a reputation and legal standpoint:
- Financial data: including credit card information, account numbers and PIN numbers.
- Personally identifiable information: social security numbers linked to names, addresses or emails.
- Health information: health records and individual patient data.
If any of these are included in the data that has been compromised, step 3 should be taken immediately.
- Notify stakeholders: If personal identifiable information or health records have been compromised, it is important to immediately notify those whose data has been compromised. In fact, in most states it is the law. For more information on the laws specific to your state, read more here. Only three states (Alabama, New Mexico and South Dakota) do not currently have a law requiring consumer notification of security breaches involving personal information. In addition, the Securities and Exchange Commission requires material cyber risks and intrusions be disclosed to investors. Its important to share the news yourself – before others tell your story for you. Get to your customers or patients before the media and you will maintain some trust.
- Notify the proper authorities: Relevant government agencies may need to be notified of the incident – such as the Federal Communications Commission, Federal Trade Commission, and in the case of cyberterrorism or criminal activity– the Federal Bureau of Investigation. They will aid in the investigation and help ensure proper protocols are followed in additional to your own legal team. Be aware, once authorities know, the media will know too, so ensure that your stakeholders hear from you before taking this step.
- Take responsibility. It may an egregious hacker and there may have been little to nothing that your company could have done to prevent the breach, but in the eyes of your customers, it was your responsibility to protect their data and this type of incident. Do not deflect blame. Accept the responsibility and instill a sense of ownership in fixing or repairing the situation in a swift, secure manner.
- Prioritize the investigation. Business will need to go on as usual, but once the headlines begin to slow down, it is easy to pull resources away from gathering results of information for the investigation quickly and accurately. Maintaining a sense of urgency is essential – because the news cycle can and will return again if the matter isn’t resolved soon. And, your customers and patients are left hanging and concerned about what has happened to their information.
- Maintain a line of communication with stakeholders. It is easy to forget to communicate externally about what is happening when an internal investigation is underway. But forgetting your external stakeholders will create major backlash. External stakeholders to keep informed are media, customers or patients, elected officials, government agencies or entities, and vendors or close business partners. The most important of these is media and customers or patients. To keep these groups informed, create a “source of truth” for them to find the latest information. Share updates though direct contact (email or phone call) and direct them to the website to find the most up to date information.
- Media: Continue to tell your story. Get ahead of rumors or negative stories by maintaining strong relationships with influential media. Find the opportunity to start telling some of the positive stories – maybe your company can start an industry coalition to prevent the same issue from happening to others. Or perhaps your business decides to pioneer a new data protection technology. These are good stories – tell them.
- Customer or patients: Do not overwhelm with too much communication. Sending customers or patients daily updates is too much. You’ll lose readers and annoy the very people that your trying to maintain a good relationship with. Instead, aim for less frequent, such as weekly, communications that provide news that they will care about. Include a link to your “source of truth” website page so that those that want more frequent updates can access them. If you are able, provide new benefits to customer or patients to help build up any relationship damage such as free credit, identity fraud monitoring, or significant discounts or freebies.
Find the opportunities to turn the crisis into an opportunity – deeper relationships with media and customers is possible. And there is an opportunity to demonstrate leadership to align your industry and protect customers and patients from future attacks.
- Start the next chapter on a positive note. Data breaches aren’t short-term crises generally, but eventually, the situation will resolve and the news cycle will come to an end. It may be in your interest to send a thank you to customers that have stayed loyal. A deeply discounted shopping day or something above and beyond the normal sale. Start off the next chapter of your company’s future with an act of gratitude for those that stayed with you – or a warm welcome to bring in new customers. And don’t forget to do the same for your internal team, who no doubt worked tirelessly for months to problem-solve and keep the business going in the midst of a data breach.
Can we help you?
Building an effective post-data breach response process that incorporates crisis management, crisis communications, and other functions within your firm is what we do here at Bryghtpath.
Bryghtpath has built the crisis management plans and frameworks for many Fortune 500 organizations, non-profits, and public sector agencies. Our firm has more than a century of experience in developing actionable plans to help prepare organizations for the unexpected. Our expertise include crisis communications and emergency plans/exercises.
Contact us today at +1.612.235.6435 or via our contact form for a free thirty-minute consultation.