So much work, time, and effort are put into preventing a cyber attack, that many fail to plan for the worst: developing a data breach response when an attack actually occurs.
According to the latest Independent Oracle Users Group (IOUG) Enterprise Data Security Survey, one third of organizations state that a data breach is "somewhat likely" to "inevitable" in the next 12 months. An inadequate response can end up eroding customer loyalty, invalidating cyber insurance policies, and costing a company millions.
Understanding Data Breach Response Laws
In 2015, the Obama administration put the Personal Data Notification and Protection Act into action to help protect consumers from the waves of data breaches occurring in the business world.
Today, if a security incident occurs at a business that serves 10,000 or more customers per year, that organization has 30 days to disclose the necessary information to people who have been compromised.
Penalties for noncompliance can reach up to $1,000 per day, per individual compromised in the data breach – with a maximum of $1,000,000 per violation. That’s no small fee for ignoring notification laws, but it’s nothing compared to state regulations.
<< Do You Know How to Calculate Data Breach Costs? Get the Guide Here >>
As if that’s not enough, most states have their own regulations governing breach reporting. The firm Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. put together a matrix to help companies better understand how to develop a data breach response, and what they are up against.
There are also industry-specific reporting rules that companies must follow:
Insurers must comply with the Principles for Effective Cybersecurity Insurance Regulatory Guidance
Healthcare businesses are bound by the HIPAA Breach Notification Rules
Compromises related to credit and debit cards are subject to the reporting requirements in the Payment Card Industry Data Security Standard
Data Breach Response 101: Understanding the Basics
While basic reporting guidelines exist, companies need to be smart about how they communicate information to affected customers. Every aspect reported will come under public scrutiny, and customers expect to be protected by the businesses they patronize.
Regardless of the specific state or federal regulation in play, official letters and emails of data breach notification must go out in a timely fashion.
Here are several helpful tips to consider when crafting communications:
First and foremost, you should explain exactly what data was lost in the breach and the circumstances that led to its compromise.
You’re not writing an eBook, white paper or industry report. Notifications must use concise language that clearly explains the situation and potential risks to consumers.
No matter what you write in the notification, consumers will inevitably want more information. Provide a toll-free number for customers to call with any questions.
After consumers understand the situation, they’ll want to know how to resolve their problems. Include the next steps they must take to become secure again. One common practice is to recommend (and offer) an identity protection product.
Avoiding Mistakes When Your Company is On the Line
The ugly truth is that data breaches happen often, but companies lose points in consumers’ eyes when they mishandle them and fail to be upfront and honest about it.
Why are people so hostile toward Target when other breached companies, such as Home Depot, aren’t feeling the heat? Target waited over a month to report the breach, they didn’t initially disclose the full details of the breach, and their website FAQ to help compromised customers never seemed apologetic.
Defending against breaches is challenging, but creating a data breach response shouldn’t be a nightmare. Winning over consumers in the wake of a data breach requires general courtesy:
Be proactive and send out notifications the minute you understand the basics of the situation.
Keep an open line of communications throughout the process.
Launch a microsite like Anthem’s PR team did which lays out clear FAQs to help customers get through the tough situation.
Following state regulations is essential to responding to a data breach, but winning over customers requires companies to put themselves in other people’s shoes, and go above and beyond the call of duty when notifying those who have been compromised.