Every Organization Needs A Plan For Handling A Data Security Breach And That Plan Needs To Contain A Communication Component.
By Thomas J. Roach
Organizations that get hacked or lose control of customer data have two immediate problems. One is that they have allowed themselves, their customers and business partners to become exposed to financial chicanery, and the other is they become less trustworthy. The second problem is worse than the first.
Certainly the potential losses resulting from criminal use of identities and accounts are significant, as are the costs of notifying and assisting everyone whose personal data was exposed. However, as bad as these potential outcomes may be, they are usually manageable and survivable. The loss of trust is not.
Some trust problems can be overcome. If a company has a breach of security, initially this might mean that it cannot be trusted with professional and personal data, but the initial breach may serve as a wake up call and result in a more secure information environment. After all, approximately 75 percent of organizations have already suffered at least one data breach.
In other words, with the right response, the public might conclude that sometimes bad things happen to good companies, and if the company’s response to the problem is strong enough, the public might decide that the company is more trustworthy because of the learning experience.
Trust as it relates to reputation and character is much more fragile. One falsehood makes someone untrustworthy, perhaps forever. A trusted source might argue that a problem was a fluke and will never happen again and be believed because of the trust factor. An untrustworthy source can’t make a similar argument.
I had a large financial institution as a client several years ago. They reported customer data to a government agency on a monthly basis. One month the security company that delivered the data lost the package with social security numbers and bank account numbers of over a million customers.
The institution had a dilemma. I got the call at 6 p.m. as I was leaving my office, and they wanted my opinion. They had been looking for the package for several days, and it was possible that eventually it would turn up. If they found it unopened, no harm done; no one needed to know about it.
However, if it was in the hands of some criminal element, then their customers were possibly being defrauded while the institution continued a futile search. I told my contact that I would get back to him the next day. He made it clear that I could not discuss the problem with anyone.
It was on my mind that night. If word gets out and someone other than the company spokesperson breaks the story, then there will be two news narratives: one that the institution lost control of customer information, and two that they deceived the public. I called my contact before I went to bed and recommended that he hold a media conference first thing in the morning.
The cyperhack on Sony Pictures Entertainment on Nov. 24, 2014, has everyone thinking about how to prevent similar occurrences at their organizations. Certainly we all need to take every precaution to protect our data.
However, taking precautions is not enough. Every organization needs a plan for handling a data security breach if and when one occurs, and that plan needs to contain a communication component.
Customers, employees, business partners, everyone who might be victimized by a security breach deserves to know about it as soon as it can be confirmed. Any time wasted because of uncertainty of how to act or fear of repercussions increases the vulnerability of innocent victims of the crime.
More importantly, the organization must make it clear that it puts the needs of its publics before its own needs. Stalling or, worse, deceiving the public takes the situation from bad to worse.
Security breaches are to be avoided at all costs, but if they happen, we adjust and we move on. Reputations are forever.