In this era of increasing data breaches and technological snafus, businesses are faced with the reality that their customers' personal information may be at risk. In addition to being prepared to take swift action in the event a breach occurs, businesses should also take proactive steps that will accelerate their ability to lessen the internal chaos and public relations nightmare that accompany many data breaches.
Because data breaches impact every area of business including companies without a significant online presence, it is important to engage individuals from a variety of departments within your organization so that you are prepared, organized and ready long before a breach occurs.
Below is a checklist of efforts that should occur within the various areas of your organization.
1. Leadership and department heads: When a data breach occurs, the business' decisionmakers, including key executives and managers, should immediately be informed so they can assess the extent of the problem, provide the necessary resources to execute the company's data breach preparedness plan, and handle any secondary issues associated with the breach. Leadership should also determine whether any insurance policies exist that may provide coverage to the data breach, and if such a policy exists, work in conjunction with their legal advisers to make an insurance claim.
2. IT: Since most data breaches involve a compromise of network or protected data resources, your IT department plays an integral role in uncovering as well as preventing these issues. In addition to identifying and mitigating the data breach, IT personnel should train staff in data breach prevention techniques (e.g., maintaining employee password security, identifying phishing attempts, etc.). IT personnel should also act quickly to preserve evidence and — if necessary — work with an outside forensics firm to pinpoint compromised customer information.
3. Legal/compliance: The legal and/or compliance teams are useful in identifying the risk of litigation or other fines that may follow a data breach. After a data breach occurs, an outside counsel should be hired who is experienced in handling and responding to data breaches. Depending on the scope of the breach, the business may be legally obligated to contact customers, the media, law enforcement, and/or governmental agencies. Regardless if a business is legally required to report the data breach, the legal advisers should work closely with the PR team to determine whether notice should be given and whether a different type of notice is needed for different geographic areas (e.g., notice requirements differ by state).
4. Third-party data breach specialist: Businesses should consider engaging a third-party data breach specialist, including a forensic expert. The business' credit card processing company, IT department, insurance agent, and/or outside legal advisers may be able to assist in this process. The data breach specialist should be equipped to assist in the handling of the notification process discussed above, provide secure call centers for affected customers, and offer a specific point of contact for employees and leaders to utilize whenever they have concerns. The specialist should also be equipped to provide information about credit monitoring tools and answer consumers' questions about credit report concerns.
5. Security/law enforcement: Businesses should gather all relevant information about the data breach and advise law enforcement officials. Since most data breaches involve criminal activity, the business should strongly consider contacting state and federal authorities.
6. Public relations: The public relations team will need to assess the extent of the damage, and depending on the size of the customer breach and the number of individuals involved, the PR team, in conjunction with legal counsel, may need to contact the media and alert affected customers. In addition, the PR team should monitor media coverage, be prepared to answer questions from the media and provide appropriate updates to business executives as information becomes available.
7. Human resources and/or customer support: The human resources and customer support teams, like all other teams, should prepare their response protocol to a data breach long before it occurs. For instance, these teams should work with other department heads to determine the amount of resources that will be available in the event of a data breach, train data breach response-team personnel, and receive information/feedback from employees. The teams can create simulated training to show employees how their job responsibilities would temporarily change in the event of a data breach. Such training and re-training should be held annually for key employees.
Overall, businesses should prepare a data breach response team and have its members properly trained to respond swiftly and intelligently when faced with a data breach. By developing and implementing response strategies before facing the chaos of a breach, your employees will be better equipped to aid customers and the company in all efforts to rectify the problem and continue providing quality goods and services to the public. By following these steps, your business will have a greater likelihood of reducing any liability associated with the data breach and minimizing any public backlash from the breach.