Five Guidelines for Handling a Data Breach
September 4, 2014
September 4, 2014
The headline isn’t a surprise anymore: A major retailer investigates a massive data breach. This time, home improvement retail giant Home Depot is examining whether all of its 2,200 nationwide stores were the source of a massive batch of stolen financial information that recently went on the black market.
Home Depot has been handling the crisis well, getting in front of investors and explaining what they know and promising to come forward when leadership has additional details.
Being nimble when disaster strikes is critical. The decisions and pressures on an organization when its network is compromised and personal data is accessed are overwhelming. The clock starts ticking right away, and in this world of 24/7 media and social media, a slow, unsure response can be deadly. Customers and vendors need to know. Depending on the nature of the personal data exposed, regulatory agencies (state and federal) and the state’s Attorney General needs to know. Media will find out one way or another.
Advanced planning is critical. Many of the communications tools you will need can be drafted in advanced and fine-tuned when something happens. Although it can be difficult to make the case to budget-conscious CEOs, spending dollars upfront on communications planning and training will save money in the long-term and help avoid a devastating reputational hit.
Here are some guidelines to get you started:
Find an attorney—before you need one: Identify an attorney with expertise in privacy and data security and establish a relationship. He/she will guide you through all the reporting requirements specific to your industry, in the states in which you do business, and in some cases federally. You will receive counsel on the potential for litigation and a review of all written communications. And an attorney can help prevent a breach or loss by conducting privacy audits and risk assessments to surface potential vulnerabilities so you can address before a hacker exposes them.
Update your Crisis Communications Plan: Include protocols for reporting a data breach. The steps to follow are specific and prescribed. Get them committed to paper now so there is no question about what to do first, second and third when it happens.
Draft Away: Nearly all communications materials—media statements, fact sheets, Q&As, letters to employees, customers, clients—can be prepared in advance so there is something to work with when the breach or loss occurs. The time and angst saved by not having to start from scratch will be incredibly valuable and will allow you to frame the news rather than respond to questions from media or others.
Train and Practice; Practice and Train: You don’t want an actual breach to be the first time you put your plan to the test, nor the first time your Crisis Response Team (reps from IT, HR, Customer Service, Sales/Marketing, etc.) meet and work with each other. Table top exercises and drills show you which parts of your plans work well and which ones need to be retooled. And they bring to light for members of the Crisis Team how important communication across departments is.
Build a Social Media Presence before a Breach: Depending on the scope and spread of a breach, social media can play a significant role. In some industries there are blogs dedicated to tracking and dissecting how a network was hacked and data moved. Social media networks can light up with complaints from those affected. On the flip side, social media can be a fantastic channel to get your message out and communicate with key audiences, but only if a company has a loyal and engaged following ahead of time. It is impossible to play catch-up and try to build a strong social network once the crisis happens.
The Massachusetts Office of Consumer Affairs and Business Regulation reports than nearly 1 in 5 Massachusetts residents were affected by a data breach last year—more than 1 million people in one state alone. It’s not a matter of if your business is affected, but when. Follow these steps and when the IT department calls to say there has been a breach or loss, your response won’t be “Houston, we have a problem.” It will be, “Let’s activate the plan and pull the team together.”