The Right Way to Respond to a Data Breach
Gregory S. Nelson, a volunteer SCORE counselor in Naples, Fla. who advises small businesses on technology issues, had his own technology issue in recent months with an online purchase after buying some additional memory for his computer.
After making the purchase, he was notified by the online retailer it had been hacked exposing his purchasing information.
'They did all the right things. They sent me a letter telling me when it had occurred. They hired a credit watch company to watch over my account for a year and even sent me monthly updates to let me know if there had been any suspicious activity," Nelson says. "You know, you get annoyed when something like this happens. But at the end of the day, they did everything possible to correct it. Would I buy from them again? Yes, I would.'
What's the moral to the story? Experiencing a data breach isn't the kiss of death for a business. It's the immediate response in the aftermath that will make or break the company.
Develop an incident response plan
'Stop it, contain it, and control it,' says Ben Rothke, a senior security consultant from the security firm BT INS, outlining the first critical steps.
Rothke offers the following advice to patch up the leak and patch up any problems that may come as a result of the leak with customers or employees.
Data leaks happen to all types of organization. No size business – large or small -- is immune. A business owner can't assume it'll never happen to his or her company. Think 'when', not 'if,' and draw up an incident response plan before your business suffers a leak. If it's already too late, here are some steps to follow in the event of a data breach:
- Find a data breach specialist: Is there anyone on your IT staff that can handle a data breach? If not, have a security specialist handy in the company rolodex. It may be that more than one consultant is needed: someone to pinpoint the leak and plug it and someone else to assess the damage done and implement fast changes to prevent it from happening again. 'Surprisingly, a lot of companies don't take any action to prevent another breach. It's like they believe it happened once, it can't possibly happen again,' says Nelson.
- Assess the damage: First assess what data was compromised and how bad is the damage. 'Disclosure can actually be counter-productive, if no one is really compromised. Not all breaches are created equal,' says Rothke. If the breach was potentially harmful exposing customers, for example, then take a page from Nelson's experience with his online retailer. Send out a letter of explanation. Invest in ways to undo or prevent any further damage. Make the information public and easy to access like on the company website.
- Come clean:Remember Nelson's experience with the memory seller? It was the full and immediate disclosure that turned a bad situation into an opportunity to build a more loyal and trusting customer for future purchases.
- Take corrective steps: Affected parties and the public need immediate reassurance the business is making this a top priority and taking steps to prevent it from ever happening again. It is unlikely you'll be forgiven a second time, if your clients get compromised again.
- Try to limit the fall out:Call in the experts to contain and monitor the damage. Update security policies more frequently; at least once, if not twice a year. Customize those policies, along with the response plan, to target and best protect the most sensitive data.
A data breach is more than an IT problem. It's a company wide crisis and needs to be handled that way. Whether they come from in-house or out-of-house, the IT professionals need to be supported in what they do and directed that fixing it is top priority. Since it is also a communications crisis, it needs to be handled like any other crisis management issue, involving public relations specialists and possibly media spokespeople. Finance and accounting need to assess the monetary damage, as well. Most importantly, those affected need to see leadership at the top step up and offer honest, public transparency about what's being done.
SIDEBAR: Other tips to get any business through a data leak
Call the cops! 'Get the ball rolling and file a police report, maybe even contact the FBI,' says Nelson. Nelson contends that's the first important step in establishing that the company is taking full responsibility for the problem with immediate action.
Lock down data where possible. Rothke recommends archiving data that is rarely accessed into a safer place. 'Data is increasingly portable. Establish some security controls to make it more difficult to move it around. Not every employee needs to have their USB ports enabled. Have them sign non-disclosure agreements and get trained in what kinds of data are especially sensitive,' says Rothke. An IT department can do a lot to secure data, but it won't help if an employee reveals too much by phone or email.
Limit access to the system. For some employees, it's best to limit the size of their e-mails. A 20 megabyte e-mail is quite large and filled with proprietary information can do a lot of damage getting out to the wrong person. Shut down the system at odd hours like the middle of the night or on the weekends for non-essential employees. Limit the size of outgoing e-mails, depending on the user's needs. While a graphics designer may need 20 megabytes to use on a single e-mail, chances are most employees who just shuffle around text documents all day don't need more than five megabytes for e-mail.