The rate at which data is being breached, even the most secure organizations seem like they will inevitably be hit by an
embarrassing exposure. A recent survey has shown that when it does happen, the
damage to a brand can rack up to hundreds of millions of dollars — and yet,
nearly half of organizations still do not plan ahead for post-breach damage
control. In order to cope with the reality of the situation, many experts
believe that businesses need to do a better job planning for the worst.
"The way business protocols worked five years ago, even
two years ago, has drastically changed, and we must prepare ourselves for the
new threats to data and privacy," says Ozzie Fonseca, director at Experian
Data Breach Resolution. "Data
breaches are happening to all businesses — small, medium and large — and no
industry is immune."
A survey conducted by the Ponemon Institute on behalf of
Experian Data Breach Resolution found that among 850 business executives at
companies affected by breaches, they measured brand damage at their firms as a
result of the breach to equal anywhere between 12 percent and 25 percent of the
brand’s value. That’s a $184 million to $330 million ding against an average
brand value of $1.5 billion at the companies involved.
Among those surveyed, only 43 percent of executives said
that their firms had instituted a data breach incident response plan prior to
their security incidents. This is remarkable given the propensity for
organizations to plan for other business crises, particularly given the fact
that most of those surveyed have experienced more than one breach in the past
several years.
Organizations need to plan ahead to mitigate the risk to
their reputation, Fonseca says.
"A solid reputation is a company’s greatest asset, and
it is therefore imperative that business leaders take precautionary steps to
protect themselves, their customers, their employees and their intellectual
property against data breaches," he says.
The most important part of shoring up reputation in the wake
of data breaches is that organizations plan their message control ahead of
time, says Brian Lapidus, chief operating officer for Kroll’s Information
Security, Forensics and Data Breach practice.
"Companies that are intent upon retaining loyalty,
reputation and share value would do well to ensure that a spokesperson for the
organization is identified and that they are equipped with approved messages
and a timeline for the distribution of those messages," Lapidus says.
"This is particularly true if the breach is a high-profile one, where a
staying on message is critical. Information leaks, rumors and multiple channels
speaking at once only serve to dilute and distort the organization’s original
message and cause anger and frustration among affected individuals. "
Additionally, organizations need to have some sort of
notification letter plans and boilerplates in place to be ready for speedy
communication with affected individuals.
"So much is made of the contents of notification
letters, the phrasing used, the quality of the apology, etc., but rather than
get bogged down in those details, just stick to the basics," Lapidus says.
"There are some items that your organization will be required by law to
include in your notification letter. Your organization may be obligated to
comply with notification requirements dictated by state and/or federal laws
pertaining to your industry, so be sure to familiarize yourself with
both. "
Doing this advanced groundwork will be key to a speedy
notification process once an organization knows it has been hit.
"Several states include a specific timeline for
notification as part of their breach laws and, generally, the clock begins to
tick as soon as the breach is recognized by the affected organization,"
Lapidus says.