Had a significant data breach? Here’s how to get to grips with the problem quickly to avoid customer panic and reputation meltdown.
You’ve just had a call from IT: some records have been compromised. It’s not clear whether that means a few spelling mistakes or that the details of your entire customer base are being touted around on a memory stick in the Russian badlands. So what now?
Have a plan. Don’t wait until you’ve already suffered a significant data breach to start working out how you are going to respond. Scenario development and war gaming are two of the techniques commonly deployed to help in planning for a crisis. You need to identify the response teams, understand where the impact will be felt and have advisers lined up to help.
Get the measure of it. Priority one is to understand what’s happened and the extent of the data loss. “A data security breach can happen for a number of reasons,” says the Information Commissioner’s Office (ICO). These include: loss or theft of data, hackers and unauthorised use or equipment failure. “Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause,” says the ICO.
Keep the fingerprints. “Ideally, a victim organisation will immediately make a forensic image of the affected computers, which will preserve a record of the system at the time of the incident for later analysis and potentially for use as evidence at trial,” advises the US Department of Justice’s Cybersecurity Unit. You should also keep records of all the steps taken by your employees as possible evidence.
Come clean. The big question is who you tell and how quickly. Remember it’s much better if your customers find out from you rather than from the media. Claire Snowdon, Director of crisis management consultants Regester Larkin, says, “Deciding when and how to inform stakeholders is not a straightforward decision. Target’s recent (2013/14) handling of its customer data loss shows us that communicating too late can erode trust. But if it had communicated too soon, would it have caused panic?”
Notify or not. You are not obliged (in most sectors) to notify the ICO of a data breach; but it depends on the scale and sensitivity of the data and whether it’s encrypted. It may be best to err on the side of caution: the ICO is more likely to clobber you with a hefty financial penalty if they think you’re trying to cover it up.
Reassure. Jim Steven, head of data breach services at Experian says: “Giving customers a sense of control following a breach is vital. That means providing them with simple, easy-to-use tools and support they can use to defend against misuse of their personal data – from credit monitoring and identity theft protection services to dedicated helplines.”
Communicate what you’re doing. Say sorry, but move on quickly to talking about the solution, says Visa’s Responding to a Data Breach guide. Don’t play the victim. “Although you may have had a crime committed against you, the public and business press will still hold you accountable and will not consider you a co-victim,” warns Visa.
DO SAY: “We would like to apologise to our customers for the loss of data but reassure them that every effort is being taken to protect their privacy.”
DON’T SAY: “A load of customer records were taken, but don’t worry – we’ve got a back up!”