By Michael Bruemmer, Vice President, Experian Data Breach Resolution
The highly publicized data breaches of 2015 – a total of 781 to be exact, exposingalmost 170 millionpeople– and the major security incidents we’ve seenin 2016 have further demonstrated the increasing frequency and severity of cyber-attacks. It’s safe to assume that it is no longer a question of if, but when a company will be breached, and while businessleaders are now more aware of the detrimental impact a data breach can have on a company’sreputation, the majority are still struggling to feel confident in their ability to best manage these issues.
In today’s rapidlyevolving landscape, it is criticalthat businesses and executives are up to speed on how to best prepare and mitigate the fallout of a major security incident to avoid the potential of a damaged reputation, risking theimpact of customer retention. The good news is that there are many steps companies can take to manage this major risk area.
Build a Strong Incident Response Plan
First and foremost, it’s vital that companies have a strong and well-practiced response plan in place before an incident occurs. The plan should outline precise steps the company should take in the event of a breach, clearly detailing the roles and responsibilities of each team member and taking the involvement of a variety of departments in data breach prevention and response into consideration.
If an organization does not have existing in-house legal counsel, communication experts or security teams, it will be important to identify the external experts who will be needed to help manage a major incident. Companies should determine specifically who they’d like to work with ahead of time and introduce them to their response team. This approach will ensure greater alignment and reduce the likelihood of having to change providers mid-stream during an actual data breach.
Furthermore, it’s important that companies both practice and update their data breach response plans on a regular basis to ensure they are accounting for ever-changing threats. For example, employee negligence is the leading cause of security incidents, yet less than half of response plans account for managing an incident caused by a malicious insider within a company. Taking the time to audit and practice plans will ensure that companies are considering emerging risks and instilling the confidence in employees to manage a breach effectively.
Knowing how to respond in advance can significantly benefit a company’s reputation as their communication following an incident carries a significant impact.
While companies are often required by law to notify individuals affected from a breach through a written and mailed letter, the way in which the notification is written as well as the other avenues used to communicate with customersand key stakeholders can make a big difference in determining their loyalty to the company post-breach. Notification letters should be sincere and tailored to the customer, based on the situation and type of information exposed. They should include agenuine apology, details around the event and specificsteps customersshouldtake to protect themselves.
Beyond the formal notification letter, companies should consider other channels they can use to communicate with affected customers. For example, establishing a page on a company website with a FAQ section dedicated to providing more details about the incident and setting up a call center for additional consumer support are effective engagement tools. Unlike a written letter, a designated website can be regularly updated as the company continues tolearn more information about the incident and it is an easy place for customersto gatherinformation. Additionally, call center providers can help a company answer more detailed questions about an incident, calming the concerns of those impacted.
Provide Resources for Protection
Beyond effective communication, providing guidance and resources that help customers and stakeholdersfurther safeguard the information exposed by a data breach is key to maintaining trust. This includesoffering free identity theft protection and credit monitoring services that will alert customers if their information has been used fraudulently, as well as help them remediate any issues that occur if necessary.
Companies should also take into account that aside from appreciating additional guidance, customers also expect these resources to be provided for protection. In fact, according to an Experian consumer survey, 63 percent of consumers believe organizations should be obligated to provide identity theft protection in the event of a data breach.
The concerns and needs of customersfollowing a data breach should always remain a priority for companies. Individuals affected by a breach deserve to be notified and presented with the appropriate remedies.
Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.