IT Compliance Institute, May 16, 2006:

Trends and Technologies

Data Breach Damage Control

Your company just suffered a data breach. If you’re wondering what to do next, it’s already too late. An immediate, pre-planned response is vital to keeping your company’s reputation and revenue alive. Prepare yourself with these top tips.

By Mathew Schwartz

So your organization just joined the ranks of Ameritrade, Bank of America, CardSystems, ChoicePoint, Fidelity, the Georgia Department of Motor Vehicle Safety, the US Marines, and Wachovia (just for starters), by suffering a data breach that may have compromised your customers’ or employees’ personal information.

What should you do next? The plan of action could make or break your business.

Companies need to prepare a data-breach-response plan in advance. The writing has been on the wall since California’s Security Breach Information Act (a.k.a. SB 1386) became law in July 2003. According to the Web site of the Privacy Rights Clearinghouse (PRC), a nonprofit consumer advocacy group, “California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information.” Such information may include driver’s license numbers, social security numbers, and bank or credit card numbers, along with the passwords and PINs needed to access them.

Today at least 23 states now have similar data-breach laws, and Congress is weighing a national law, which would neuter any state laws. Even so, data breaches aren’t just about regulations.

Think of the customers. If your company handles a data breach notification poorly, it will lose customers, attract unwanted regulatory attention and class action lawsuits, plus all of those other things that keep golden-parachuted executives awake at night.

Accordingly, here are top tips for surviving, mitigating, and effectively dealing with a data breach:

1. Retreat Behind a PR Screen

If ever there’s a time to be “on message,” it’s in a time of crisis, and if your company fumbles customers’ information, that time is now.

“The number-one thing I’ve found is you just have to do a lot of damage control up front,” advises Chrisan Herrod, executive consultant for compliance solutions at Scalable Software, and until recently, chief security officer at the US Securities and Exchange Commission. “Have some sort of pre-approved communication templates available, and don’t let anyone speak on your organization’s behalf except a pre-approved public relations person.”

“You have to put a good public spin on it,” she says. “Not that it’s ever good. But you have to have a good communications strategy, especially to mitigate any reputational damage that might occur.”

2. Notify Affected Customers Nationwide

When notifying US customers of a potential data breach, companies have two options: notifying only residents of states with data breach laws or notifying affected consumers nationwide. While companies can pursue the former option, it doesn’t smack of forthrightness, and it’s often a losing proposition anyway, since you’ll likely have customers who are resident in at least one of the 23 states with a data-breach notification law.

The simple fact today is, “Any such notification is likely to become public knowledge,” says Jon Oltsik, analyst at Enterprise Strategy Group. Typically, all consumers want to know if they’re affected, regardless of their state’s laws, and this has driven states’ attorneys general—at least in some cases—to press companies for more information.

Today, more companies proactively address such concerns. “This was probably the impetus behind the disclosures at companies like Citibank, Time Warner, and Marriott,” in which all US residents affected by those companies’ data breaches were notified, says Oltsik.

3. Use Multiple Notification Techniques

There’s an art to notifying customers, and many companies don’t seem to know it. Witness one survey of more than 9,000 US consumers, 11.6 percent of whom had received such a notification. The majority of affected consumers said they were dissatisfied with the notice they received, and they often took their business elsewhere as a result.

The study, conducted by the Ponemon Institute, found companies that sent e-mails or form letters to companies lost three times as many customers as companies that sent personalized letters or called people directly. If ever there is a time to roll out the customer service red carpet, this is it.

Note that this isn’t just customer fussiness. The study found more than a third of people mistake an initial data-breach-notification as “junk mail, spam, or a telemarketing phone call.” As a result, “The most effective communication method appears to be a combined approach of telephone and letter,” notes Oltsik.

4. Don’t Play the Passive Card

Half of affected consumers say companies don’t provide enough details about the actual breach. A similar number of people slam companies’ disclosures as not being easy to understand, and almost a third say after reading a notification, they still didn’t know what the consequences of the data breach might be.

Anecdotally, many data-breach-notification letters are known not for forthrightness, but rather for their remarkable display of passive or subjunctive verb tenses.

Here’s where your English can hurt you: Ponemon found companies that didn’t clearly, thoroughly, and quickly communicate to their customers what happened were four times more likely to lose customers than those that did.

5. Detail How You’ll Help

Most customers seem willing to forgive a breach if companies come clean about what happened, the potential repercussions for the individual, what the company is doing to help, and how it plans to prevent future breaches. So as part of the notification letter, let customers know what you’re doing to help.

Interestingly, the Ponemon study found that only about half of organizations offer outright assistance. “The most common type of support provided by organizations included the issuance of new accounts—and credit cards—and closer monitoring of accounts for suspicious activities.”

About a third of respondents say when they request support, it’s inadequate. That’s roughly the same number that severed business ties with the company in question.

6. Think Like a Consumer

Part of helping consumers means arming them with the resources they need to understand what happened and what they should do next. Numerous resources can help with this step, including, “How to Deal with a Security Breach,” a PRC guide for consumers (http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm).

When referring your customers to such a guide, ensure that your company provides the essential information to consumers consult . For example, the first step in the PRC guide is to determine whether the breach involves existing accounts, the potential for new accounts, or identification documents, since each has its own potential repercussions and thus requires a different response.

Tell consumers what they need to know. Then, following the PRC or other guides, inform customers of the next step in order to protect themselves. These include notifying credit bureaus of the breach, establishing a fraud alert, ordering a credit report, and carefully assessing the credit report for signs of fraud.

Customers must continue to monitor their credit reports, though only California mandates that victims of identity theft receive free monthly reports. (Some companies offer customers free credit reports for a year.) Finally, 12 states helpfully allow residents to freeze their credit reports for free in cases of identity theft.

7. Prevent the Data Breach from Happening in the First Place

Of course this point seems obvious, but if your company suffered a data breach, it’s time to ask the tough questions: why did it happen, and whose head should be on a platter?

Remember, preventing data breaches doesn’t just start with adequate identity management and access controls, plus sufficient security for the databases, laptops, backup tapes, and everywhere else sensitive data resides. Companies must prioritize security, apply risk-based controls, and secure valuable information (which now includes people’s personal information), no matter where it lives.

In short, when it comes to preventing security breaches, says Scalable’s Herrod, “It’s not just a security problem; it’s a management issue.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.