After the recent rash of high-profile data breaches, the Internet is ripe with tips for handling a breach at your organization. The standard experts’ message: Notify consumers immediately and don’t downplay the impact.
The Dallas Morning News has a keen interest in data breaches because some of the largest recent reports come from retailers headquartered in its home state of Texas: Nieman-Marcus (Dallas), Sally Beauty Holdings (Denton) and Michaels Stores (Irving).
In a Sunday story, reporter Pamela Yip discussed proper handling of a breach with Javelin Security & Research senior analyst Al Pascual. His comments:
“If you don’t tell consumers how they’ve been victimized, they can’t take the necessary steps to protect themselves. Plus, it looks bad on the business. In reality, it does look like they’re holding back.
“People want to place blame, so keeping the story to yourself or minimizing details to really prevent liability just exposes businesses to greater liability in the end.”
The story claims poor breach notification strategies and a higher rate of identity fraud have resulted in a loss of customers for retailers, which tend to be punished more by the actions of consumers than other industries.
More from the story:
“Release clear, descriptive, and prompt notifications,” Pascual said. “Notifications that describe in detail how a breach occurred can bolster an organization’s claims that they have corrected the security vulnerability … restoring some degree of confidence among consumers.”
Shutting down about information is the worst thing a business can do in a data breach.
“To avoid having a breach event’s narrative hijacked by the media or by adversarial organizations, prompt disclosure is imperative,” Pascual said. “A loss of control can imperil an organization’s reputation, diminishing the trust of business partners, consumers, and shareholders.”
Days before the Dallas Morning News report, Healthcare IT News associate editor Erin McCann published her own “breach response tips from experts” directed at the healthcare industry. The message from the experts she contacted was strikingly similar.
Along with an immediate breach response, there is another key takeaway from Gerry Hinkley, a partner at the Pillsbury Winthrop Shaw Pittman law firm: “Don’t give in to individuals who want to sugar coat this. … You do much better really saying what happened up front.”
McCann quoted Hinkley from a presentation he gave at the recent HIMSS Media and Healthcare IT News Privacy and Security Forum in San Diego. He says proper breach response can help limit cost, avoid litigation and help retain the integrity of the organization.
After a breach, Hinkley suggests the following steps: 1) An internal report throughout the organization that explains the forthcoming breach notification before the Department of Health and Human Services (HHS) and media are informed. 2) Quickly report the breach to HHS. Don’t wait the allowed 60 days. 3) Immediately after the breach, change passwords and authorizations and preserve all evidence. 4) Remediation, including credit monitoring and a phone line available to those affected.
“What we advise, whatever the plan is, it should engender trust in your organization that you’re doing the right thing,” said Hinkley. “You can really put a lid on subsequent enforcement and litigation risk if you’re very up front; you’re apologetic; you’re very clear on what the consequences are and you provide remedies that are well-tied to what the actual risks are that are presented to the individual.”