Companies large and small are focusing more and more on data as a driver of revenue. The more data a company has on their prospects and customers, the greater the opportunity to leverage that data for the purposes of upselling and/or cross-selling. E-commerce companies have led the way in showcasing how profitable it can be to dig into customer buying habits in order to boost single-visit checkout figures as well as repeat visit behavior. From buy-it-now promotions to the ubiquitous customers-who-bought-this-also-bought-that, businesses large and small are determined to collect data on the way to collecting dollars.

Responding in a Crisis

The growing concern nowadays is how consumer behaviors change towards a given company in the wake of a data breach. Target, Home Depot, Google, Facebook, Netflix, Yahoo!, Marriot and LinkedIn are just some of the major brands that have suffered major data breaches. Though all of these businesses have had to endure some unpleasant blowback from consumers (and rightfully so), data breaches have meant a death sentence to none of those mentioned above. So, how did they manage to take the hit and maintain customer loyalty? The answer lies in what a business does before and after a breach occurs.

Once a breach has occurred it is important to:

  • Contain the breach. Whether it is a hack from outside the company or an employee has mistakenly sent out sensitive data, containment is key.
  • Work with your IT Department or IT Firm to develop an action plan for resolving the issue.
  • Notify customers, employees and vendors (where applicable) of breach. Develop an honest message regarding the nature of the breach so that there is no room for rumors. Set an expectation of further communication and stick to it.
  • Prepare responses for customer questions. Responses should be honest and timely. It is important to note that your customers may be reaching out via phone, email and through social media channels. It is best to begin planning for this ASAP.
  • Develop a long-term plan which focuses on preventing similar attacks.

Mitigating Risk

Though it is important to respond effectively to a data breach, the steps taken prior to a breach are frankly far more critical. After a breach has occurred, your business will have to respond, in many cases, according to a Privacy Policy and/or Terms & Conditions already in place on your website. It is important that a.) your policies and conditions are accurate and up to date and b.) reflect the laws that govern the countries and states in which you do business. Some of the language in these policies will be reflected in your predefined internal plan of action. If your business does not have such a plan, you may be asking for trouble. When it comes to data security, the SOP is to hope for the best, but plan for the worst.

Depending on the size of your business and/or the nature of your data, it may be prudent to work with an insurance agent to purchase breach insurance. Data breaches can get expensive. If your business has should fall victim to one, it is best that you have a policy in place that can cover cyber liability.  Speaking of which, that liability will certainly change from one country to another, and many speculate that rules from state to state may differ in nature over time. So, make it a point to explore the business’s liability with your corporate attorney.

Your IT Department should develop a plan of action or adopt Security Information and Events Management (SIEM) software which will enable your team to determine what exactly happened in the moments and days after an attack. In the moments following an attack, your business will require all the tools possible in order to fix the problem and prevent it from happening again. Everyone involved should be empowered to follow a concrete workflow in order to begin the process of getting back to business as usual.

There is no silver bullet to preventing a data breach, nor is there a magic salve that makes everything better immediately. We recommend that business owners and IT professionals make themselves aware of risks and liabilities related to their data and develop action plans accordingly.