Data breach? Don’t let chaos ensure. Take these steps to protect customers and secure the future of your company. Plan for data breaches and survive the disaster.
Over 4 billion records were breached in the first half of 2019. In that time, nearly four thousand companies announced to the public that they had been breached. This represents nearly a 60% increase over the year before.
The reality is that breaches will happen.
This doesn’t mean we throw in the towel when it comes to preventing data breaches because you can still reduce your risk significantly through prevention. But it does mean that you need a plan for data breaches.
Holden Watne with GenerationIX in Los Angeles recommends key strategies when hit with a data breach.
What Not to Do
It’s not our intention to pick on Equifax. Data breaches aren’t easy to manage even if you’re one of the most trusted brands in the financial industry. We’re empathetic to that fact.
But the truth remains that Equifax appears to have been woefully unprepared for the aftermath of a data breach. Because of that, they made several terrible mistakes.
First, they suggested that those who’d had their data stolen pay Equifax to have their credit frozen. A data breach on your watch isn’t the time to profit.
And when people called customer service to find out what to do, the department gave out the wrong website address for a page intended to help the victims.
This isn’t an isolated debacle.
In 2019, a rogue employee at Trend Micro allegedly sold over 100,000 customer records to scammers. It took over a month to find the rogue employee and disable access, during which the breach continued and customers were not alerted.
When Marriott found out that current and former employee data had been compromised in 2019, they took nearly 60 days to notify the victims. They found that they had incomplete contact information for many of the employees and many didn’t have current addresses. This complicated the communications process.
And the list goes on.
What to Do After a Breach
The FTC recommends the below steps. And note that state and local laws may be specific in your area.
Also, note that if one of these steps takes longer than expected, you shouldn’t delay later phases. In many cases, teams may need to complete multiples steps at once and revisit steps when more information is available.
Secure Your Operations
Shore up your systems. If you know where the breach occurred, fix the immediate problem.
You should be prepared for this before a breach occurs. Identify your data forensics team so they’re ready to jump into action. And consult with your lawyers to make sure you understand any legal obligations.
You’ll undoubtedly need to bring in various employees based on the type of breach, but you need a plan beforehand. If you don’t have these in place, you’ll need to quickly construct this team to take prompt action.
It’s okay to remove inappropriately posted information. But be very careful not to destroy evidence when securing the breach. That will come back to bite you.
Assess and Fix Vulnerabilities
Where there’s one data risk, there are likely others. Do a broader sweep of your risks and fix vulnerabilities. Here are some things to look at:
- Explore vendor relationships and protocols
- Check to see how data access is segmented
- Have a functional communication plan
- Determine if you need to invest in more productive technologies and/or tech and security support staff. Bring everything up to 2020 standards.
Notify Customers and Other Parties
Notify customers and law enforcement, if applicable. You may also need to have a plan for communicating with shareholders, vendor partners, employees and other stakeholders.
Lack of forthcoming information leaves too much room for the rumor mill. Even if you don’t have all the details yet, it’s better communication comes from you.