When it comes to data breach preparedness and response, some companies hit it out of the park and others muddle through. Knowing what’s worked and what hasn’t during actual breaches is invaluable. So we’ve compiled our top five lessons from the field. You shouldn’t overlook them, no matter how prepared you think you are.
Encrypt Like Your Reputation Depends on It
In a breach, encryption can mean the difference between a criminal accessing hundreds, thousands or even millions of records or none at all. Unfortunately for consumers and businesses alike, a breach of unencrypted data is a common scenario, whether it’s due to hacking or a lost or stolen device. In any case, cue the media scrutiny and customer outrage when the public finds out data wasn’t encrypted. And why wouldn’t they be outraged? Encryption is a basic data security measure, so be sure to use it on active and stored data, portable devices and emails. Old data you don’t need? Don’t encrypt it. Destroy it.
Own Up to What Happened
Tell all, a little or next to nothing? Every company faces this question when drafting breach notices and press releases. In a recent Ponemon Institute study on consumer notification, 44 percent of consumers who have been notified of a breach believe the breached company is hiding something,1 so we can only assume that most companies share very little. The result? Affected individuals suspect the breach is worse than it is and lose trust in the organization. Being open about a breach can have the opposite effect and encourage consumers to continue engaging with you. The less you hide from a breach, the less the media and affected individuals will wonder what you’re hiding and why.
Know When & Whom to Notify
We all know the importance of breach notifications. They can help you preserve the relationships you’ve built with customers. But, in the Ponemon study, 57 percent of participants only want to be notified if the breached organization is certain the incident will affect them.2 In other words, they want to be notified, not over-notified. Take care to isolate the actual breach population before sending out notifications. If notices go flying out the door as soon as you discover a breach, they can do more harm than good. You may notify the wrong people or too many people. If needed, work with a vendor with address-append services to verify addresses so your letters reach the right customers.
Don’t Overwhelm Your Call Center
Whether you’re responsive or unresponsive to affected individuals can determine whether you retain or lose customers following a breach. But if affected individuals can’t reach you because your call center is overloaded, then what? They might turn to the media, prompting additional coverage. Or they might cut ties with you. A good rule of thumb is to anticipate receiving more calls than you think you will – up to thousands in a single day. Instead of playing the wait-and-see game when it comes to determining whether your call center can handle the volume of calls following a breach, contract with a vendor that can.
Satisfy Customer Needs in Your Notifications
The notification letter is the hallmark of your public-facing breach response. It allows you to educate and appease affected individuals, telling them what happened, what you’re doing about it, what their risks are and what kind of protection you’re providing. So why aren’t you? Of 213 breaches recorded in the first half of 2012, 63 percent had no reported attributes, such as the cause of the breach.3 It’s time to turn the tide and start providing the right details to the right people. That includes offering affected individuals identity protection. Because in the Ponemon survey, 63 percent of consumers want compensation following a breach.
It’s true a data breach is never going to be the best thing that happens to your business. But it doesn’t have to be the worst. Not if you’re prepared. Take these and other lessons into consideration and be ready to act on them if an incident occurs.