Data Breach: How to Plan Ahead to Minimize Brand DamageBy Ericka Chickowski | Posted 2011-11-07 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
You want to believe your customers security is iron-clad enough to prevent a data breach. But how do you help them minimize brand damage after a breach has happened? Here's a look.
The rate at which data is being breached, even the most secure organizations seem like they will inevitably be hit by an embarrassing exposure. A recent survey has shown that when it does happen, the damage to a brand can rack up to hundreds of millions of dollars -- and yet, nearly half of organizations still do not plan ahead for post-breach damage control. In order to cope with the reality of the situation, many experts believe that businesses need to do a better job planning for the worst.
"The way business protocols worked five years ago, even two years ago, has drastically changed, and we must prepare ourselves for the new threats to data and privacy," says Ozzie Fonseca, director at Experian Data Breach Resolution. "Data breaches are happening to all businesses — small, medium and large — and no industry is immune."
A survey conducted by the Ponemon Institute on behalf of Experian Data Breach Resolution found that among 850 business executives at companies affected by breaches, they measured brand damage at their firms as a result of the breach to equal anywhere between 12 percent and 25 percent of the brand's value. That's a $184 million to $330 million ding against an average brand value of $1.5 billion at the companies involved.
Among those surveyed, only 43 percent of executives said that their firms had instituted a data breach incident response plan prior to their security incidents. This is remarkable given the propensity for organizations to plan for other business crises, particularly given the fact that most of those surveyed have experienced more than one breach in the past several years.
Organizations need to plan ahead to mitigate the risk to their reputation, Fonseca says.
"A solid reputation is a company's greatest asset, and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches," he says.
The most important part of shoring up reputation in the wake of data breaches is that organizations plan their message control ahead of time, says Brian Lapidus, chief operating officer for Kroll’s Information Security, Forensics and Data Breach practice.
"Companies that are intent upon retaining loyalty, reputation and share value would do well to ensure that a spokesperson for the organization is identified and that they are equipped with approved messages and a timeline for the distribution of those messages," Lapidus says. "This is particularly true if the breach is a high-profile one, where a staying on message is critical. Information leaks, rumors and multiple channels speaking at once only serve to dilute and distort the organization’s original message and cause anger and frustration among affected individuals. "
Additionally, organizations need to have some sort of notification letter plans and boilerplates in place to be ready for speedy communication with affected individuals.
"So much is made of the contents of notification letters, the phrasing used, the quality of the apology, etc., but rather than get bogged down in those details, just stick to the basics," Lapidus says. "There are some items that your organization will be required by law to include in your notification letter. Your organization may be obligated to comply with notification requirements dictated by state and/or federal laws pertaining to your industry, so be sure to familiarize yourself with both. "
Doing this advanced groundwork will be key to a speedy notification process once an organization knows it has been hit.
"Several states include a specific timeline for notification as part of their breach laws and, generally, the clock begins to tick as soon as the breach is recognized by the affected organization," Lapidus says.