Crisis alert: How to respond to a data breach

The number of data breaches and cyber attacks is increasing. Javelin Strategy & Research says fraud losses from existing bank accounts and credit card accounts were up 45 percent last year to $16 billion.¹ Welcome to the new world of work — with new and advanced threats.

The good news is that companies are realizing that how they react to a breach can be just as important as the technology infrastructure they use to defend themselves against attackers.

“Customers will always judge a business by the swift action it takes, rather than what got you into trouble in the first place,” said Jason Maloni, SVP at communications firm Levick, as quoted in the Wall Street Journal.²

So if you’ve been breached, and don’t know how much of your customers’ personal information has been stolen, what do you do? Let’s break it down into steps.

1. Establish a data breach response team

Even though the technical pieces are typically handled by IT security, your overall response to a data breach requires a team of multiple people from various departments. Depending on the size and complexity, it should at least include the manager of the program experiencing the breach, the CIO, chief privacy officer, general counsel, someone from your crisis communications team, and an executive from finance or procurement.

3. Assess the extent of the breach and its impact

The assessment step is when it’s necessary to gauge the extent of the risk and how stakeholders might be harmed. Once that’s determined, businesses can then determine whether customers should be notified. Since your responses could often be highly visible, even public, make sure company officials are thoroughly briefed on how to articulate the breadth of the situation. The more details you can provide the media or customers, the better off you’ll be if the situation escalates. If you’re found to be hiding important information from your customers, the PR hit could be devastating for your organization. Be open and upfront.

4. Have a clear process for reporting data breaches and know which agencies to notify

If you haven’t already, you should establish procedures for quickly reporting a suspected or confirmed breach. As mentioned in the second bullet, knowing where to go for information during a breach is critical. A well-crafted response plan lays out which resources are best suited to respond to a particular request for information or action. Once things inside the organization are perfected, response times to external organizations and agencies will improve.

5. Analyze responses and identify lessons learned

Businesses should always review and measure their responses to a data breach, even the most basic actions that were taken. By identifying the lessons learned, companies can build that expertise into their compliance and governance models that deal with security and privacy. And keep testing and refining your response plan — you don’t want a major incident to be the plan’s first test.

For more information, check out this McKinsey piece on incident-response strategies.³