Data breaches and network hacks have become an inevitable and harsh reality for businesses. Whether passwords were compromised, sensitive information was exposed or a device has been stolen—a breach can be extremely inconvenient.
Ask yourself these questions as they can be useful in developing a strong plan for responding in the wake of a data breach.
What Data is at Risk?
Consider the type of information that is at risk and how the exposure of this information may affect your company. A data breach is always a negative occurrence, but some information is more sensitive than others.
For example, earlier this month, an employee of North Carolina Medicaid lost an unencrypted USB drive containing sensitive information including full names, address, Social Security numbers and dates of birth of 50,000 customers. The incident put many customers at risk for identify theft and it was essential that the company acted immediately.
What Are My Regulatory Requirements?
A company’s regulatory requirements dictate what they must do when a data breach occurs. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Payment Card Industry (PCI) Security Standards Council define these requirements and 46 U.S. states now have some form of reporting requirements. Failure to report a breach or a lack of security standards may result in legal consequences.
For example, The Hospice of North Idaho faced harsh fines for their lack of effort to safeguard patient information after a breach of unsecured electronic protected health information.
When Should My Customers be Notified?
It is crucial to notify customers, employees, investors, regulators and other key stakeholders of a breach immediately to build trust in the company and so that the people whose information was exposed can monitor their accounts for suspicious activity. Prepare an external communications template in advance so if a breach does occur, you can populate the messaging with details and send out a notification, as well as create an FAQ and prepare a spokesperson.
The Online Trust Alliance (OTA) educates businesses on cyber security best practices. The organization offers a sample notification letter and additional resources in the 2012 Data Protection and Breach Readiness Guide.
How Can My Company Be Extra Secure?
In essence, there is no fool-proof security plan. However, a robust plan includes one additional barrier that proves strong after all other means of protecting data fail—data encryption. Encrypting data is the last defense against malicious hackers as the information they obtain will be useless.
A recent incident at Evernote, a software suite and service designed for note taking and archiving, compromised the passwords of their users. Evernote fortunately encrypted all passwords beforehand. Furthermore, in an abundance of caution, Evernote required users to reset their passwords.
Has your company experienced a data breach? What procedures are in place to handle these types of incidents? Please share in the comments below.
You must be registered in order to write comments. To register as a new user click here.
If you're already registered, please leave a comment here