How to Respond to a Data Breach, Part 2

When data loss or unintended exposure occurs, organizations face myriad challenges in communication and crisis management.

“Most companies will try and bury any security breach as rapidly as possible, trying to gauge what the impact on them will be and firefighting,” Clive Longbottom, service director of business process analysis for Quocirca, tells CRM Buyer. “Rather than come clean straight away, the majority of companies will see if they can gloss over it in any way.”

Make a Plan

As detailed in Part 1 of this two-part series, the wealthier companies become in data assets, the more attractive they become to attackers. Therefore, a multipronged crisis response plan is recommended — before a breach occurs — to save money and reputations.

Company executives should organize a plan that instructs them when to call law enforcement authorities and which agency — local police, FBI, Secret Service, etc. — to call. Also, the leaders should evaluate whether hiring a public relations firm is necessary for damage control and to streamline customer communication channels.

“Definitely get an instant response plan in place,” recommends Ira Winkler, vice president of marketing for the Information Systems Security Association and author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don’t Even Know You Encounter Every Day.

“If you don’t know how, get a consultant,” he advises. “Poorly trained responses can cause more damage than malicious activity.”

Company Size Is Irrelevant

Many small company operators may think a response plan is only a necessity for massive firms — they are wrong.

“The need for a plan is key, no matter what kind of company you are — from a massive B2C (business-to-consumer) retailer down to a small charity, from a logistics B2B (business-to-business) company to a supplier of cleaning liquids,” notes Longbottom.

“A security breach of information can be damaging, and you must have some plan in place to minimize this damage through adequate pre-knowledge of what the threat is and how you should talk to those concerned,” he continues.

It’s common knowledge that larger — or more mature — organizations generally have an established process with clear lines of communications, says Rich Mogull, research vice president for information security and risk at Gartner. “When a breach occurs, the security team is notified and goes into action, first containing the breach, then collecting information to scope the incident and begin the investigations process.”

However, “everybody should be concerned about data breaches,” Winkler points out.

Organizations not large enough to support a security officer should delegate that responsibility to an internal employee, such as an IT person who reports to the CFO or the company’s legal counsel, he recommends.

Implementation and PR

Nevertheless, when the unthinkable happens, security and IT executives must collaborate with the firm’s lawyers to decide what information to share with the public and when.

This is essential, as nearly two dozen states require breach notification — only five require notification of encrypted data.

No matter what the state’s law is, exposed companies should alert their customers, Winkler emphasizes.

“Encryption doesn’t mean data wasn’t lost. Data encryption can be decrypted,” he says.

An Upfront Mea Culpa

A company’s legal representation may disagree with this, but it’s likely that its public relations firm wouldn’t. If the media exposes the breach before a corporate disclosure goes public, the hit to stock prices and customer relationships can be more damaging than an upfront mea culpa.

“I would go for a full-frontal approach,” Longbottom advises. “Let those who the breach could possibly impact know. Let them know that the data was encrypted. Should anything occur due to the breach, they will be indemnified, and if they want to have changes made to any details to make the breached details unusable, then here’s how to go about it.”

Public relations efforts should aim to preserve the corporate reputation while expressing accountability for customer risk.

“Companies that rate higher in the aftermath of a breach tend to be the most proactive in helping the consumer deal with [the] exposure and providing remediation services, such as credit protection,” states Gartner’s Mogull. “Business(es) should realize that these losses are their fault, not consumers’, and only by taking responsibility for their errors and protecting their customers can they maintain long-term loyalty.”

The Follow-Up and Improvements

Nonetheless, the disheartening truth is that your network can never be completely secure and risk-free, says Rob Scott, managing partner of the law and technology services firm Scott & Scott.

“Even those companies with the most advanced security initiatives in place remain at risk on some level,” he adds, noting that although companies have become more cognizant of security breaches in recent years, they still need to introduce better preparedness.

“Executives are embracing this with more fervor than in years past, but they continue to employ reactive, rather than proactive, strategies to protect their enterprise. They are trying to wrap their arms around an overwhelming task with understaffed IT departments and shrinking IT budgets,” Scott concludes. “In those cases, technology tools that automate processes and controls can be an invaluable investment in prevention.”

Longbottom agrees, noting that firms should pay closer attention to the long-term strategy.

“Short-term [efforts are] just trying to keep everyone fully informed and letting them know that steps have been taken to protect them,” he says. “Long-term has got to be stopping such breaches from ever happening again.”

How to Respond to a Data Breach, Part 1