What's the best way to handle a data breach? Ideally, the information security practices of businesses, government agencies, and their contractors would be so refined that a single record would never be exposed. But data breaches are a fact of life, and furthermore even the best security program in the world wouldn't defeat a determined, malicious insider.
How many businesses, however, even have a world-class security infrastructure? Last week, for example, saw the exposure of personal details on 4.9 million people, including names, social security numbers, and addresses, thanks to the theft of unencrypted backup tapes containing TRICARE data that were left in the care of a Science Applications International Corporation (SAIC) employee. In the annals of information security best practices, failing to encrypt stored data ranks as an amateur--if not uncommon--mistake.
That's why the smart money on data breaches is to treat them as a "when," not an "if," proposition, especially when it comes to dealing with state attorneys general, as well as any relevant regulatory body. "Don't wait until a breach occurs to think about how you will deal with the regulators. A data breach event does not necessarily mean that you are doomed in the eyes of the regulators, but they do have expectations," says Theodore J. Kobus III, an attorney at Baker Hostetler, in a blog post.
When a breach does occur, businesses must gather as much information as possible, stay transparent, and proactively manage the situation. "Data breach prevention and mitigation is a C-suite issue and not an IT-only issue," he says.
Also think about and make plans for how a breach will shake customer confidence. That's because a recent study from Ponemon Institute found that the leading cost of data breaches was the resulting customer churn. While the average quantity of customers lost after a data breach was 4%, some industries--healthcare and pharmaceutical companies--saw average churn rates of 7%.
To keep customers, preparedness and cool heads pay off. Timing-wise, for example, don't assume that immediately disclosing a breach should be the first step. "I've seen organizations that totally jumped the gun--We've got to do it-- and they've notified, but have no response mechanism in place for the individuals who have been affected, so it's adding insult to injury," Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. "We always tell our clients that if they're going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back."
Delivering the "we're aware of the problem and working to fix it" message--and meaning it--requires planning. Start by identifying who will be in control of the data breach message, have premade scripts ready to deploy to call centers, and draw up a list of personnel who will be drafted to help manage the situation. Planning helps frontload some of the logistical detail work related to notifications, such as having up-to-date address information for as many current or former customers as possible.
Regulations, however, will require constant minding. Each of the 48 states has its own data breach laws on the books, and they can differ. Massachusetts, for example, doesn't want to see a lot of detail in the notification letters sent to its residents, while New Hampshire does.
Data breach disclosures, correctly executed, can help businesses not just forestall customer defections, but also defuse class-action lawsuits in cases where customers can't prove that they've been directly harmed by the breach, says Lapidus. But courts want to see businesses respond in a proactive and forthright manner, whether investigating the breach, notifying authorities, or alerting customers and extending identity theft protection.
Ideally, any data breach response plan would include an internal forensic investigation to identify exactly which records had been exposed, and how, not least to strengthen future information security defenses. Owing to time and cost, some businesses skip this step--according to a study sponsored by SAIC. But they may be doing themselves a disservice. "We had a client who thought it had a breach of 1.5 million people's records--that would be extremely costly. But forensically, they were able to prove that the network had not been compromised," says Lapidus. "What looked like an intrusion on the outside, wasn't."
While that outcome might be rare, with a little data breach planning and by putting a good breach-response strategy in place, it's at least a possibility.
Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)