It seems like managing data breaches has become a part of doing business these days. From the October denial of service attack on Dyn (a company that provides core internet services to companies like Twitter, Spotify and Netflix) to the recent hacks of the Clinton campaign’s emails, data breaches are increasing in frequency, scope and cost. The average cost of a data breach increased to $4 million in 2015, and the 2016 Cost of Data Breach Study: Global Analysis published by IBM and the Ponemon Institute places the likelihood of a company having a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.
To help businesses quickly respond to data breaches, the Federal Trade Commission (FTC) recently published a Data Breach Response Guide that outlines the steps to take and whom to contact if personal information may have been accessed improperly. In particular, the FTC provides that following recommendations:
- Secure Operations. A business should move quickly to assemble a team of experts to conduct a comprehensive breach response that includes securing physical areas and online systems to prevent additional data loss and preserve evidence.
- Fix Vulnerabilities. A business should work with its forensics experts and other members of its internal and external crisis management team to identify and address vulnerabilities, such as service providers’ network access and the effectiveness of encryption and network segmentation plans.
- Notify Appropriate Parties. A business should clearly and accurately communicate with all affected parties, such as employees, customers, law enforcement, investors, business partners, and other stakeholders. The FTC’s guide provides a model letter for businesses to notify people whose names and Social Security numbers have been stolen. It is important to note, however, that most states have breach notification laws that specify the information that must, or must not, be provided in breach notices to consumers.
Given the business, reputational, and other potential costs and liabilities, it is critical for most businesses to take steps to prepare for a potential data breach by, among other things, conducting periodic reviews and assessments of their physical and online systems, addressing identified vulnerabilities, and assembling a data response team of internal stakeholders and external experts. (A copy of the FTC’s Data Breach Response: A Guide for Business is available here.)
If these precautions and suggested reactions sound familiar, they should—they are basically the same responses recommended for more traditional crises. By comparison, fires, floods and oil spills are quickly recognized and thus easier to react to, while a data breach can go undetected for months and even years, making strong preventative measures a much more effective response than even the most robust forms of crisis management. Forget an ounce of prevention—you may be better off with a few pounds.