Data Breach: What to Do When it Happens to You
“Whether you’re an international conglomerate or a small business,” said Experian vice-president Michael Bruemmer in a recent blog post, “how you handle a data breach speaks volumes about the kind of company you are, how well you treat customers, and your long-term prognosis for a business success or failure.”
The cost of a data security breach can be enormous and long-lasting with brand damage and customer loss as well as financial expenses such as legal and other third-party fees, non-compliance fines, and providing free credit monitoring to victims.
A recent IBM-sponsored study showed that the total average cost of a data breach is now $7.01 million; the average cost per lost record is $221.
In 2015, there was a 64% increase in security breaches, according to a blog post on Learn Big. The post also reported that only 25% of organizations are prepared to defend against and react to a cybercrime.
Here are important steps to take in the early hours following a data breach:
Alert the team: As part of a comprehensive information security policy, there should be a response team and data breach response plan in place. The team should include employees and third-parties, if necessary, from information technology, senior management, legal counsel, public relations, and customer relations; everyone should know exactly what needs to be done. Research showed that having an incident response team in place lowered the cost per stolen record by $16 each.
Contain the breach: Identify the source of the breach – and stop it or contain it. Where did the breach occur, what is its scope, what information was breached, and who will be affected? Often a breach is caused by a cyber attack but it may be the result of a negligent employee or a stolen hard drive or hard copy. What’s most important is stopping the leakage.
Communication: Communicating the breach to affected parties must be handled carefully. There should be drafted statements at the ready to let employees, customers and others know what happened, what steps you are taking to address the security breach, and what you’re doing for those affected. Apologize but don’t over-react. According to the Experian blog: “Doing or saying too much before you have all the facts can be just as damaging as doing nothing.”
Legal notification: At the same time, know privacy laws and breach notification requirements in your state or country and industry – and act accordingly. For example, in the U.S., most states have their own specific laws and notification requirements.
On-going support: Set up call center support for anyone affected by the breach. Offer assistance such as free credit monitoring and/or identity theft protection.
Aftermath: It’s often said that the weakest link in a company’s security chain is employees. Teach employees how to prevent similar issues in the future. Employee training can lower the cost per stolen record by $9, according to the IBM-sponsored study. Going forward, also utilize multi-layered protection patching, access management, password management, and multi-factor authentication. There should be physical safeguards too, such as scheduled information destruction provided by a reliable document destruction company.
Improving information security practices has to be an on-going process in every organization.