How To Prevent a Customer Data Breach Disaster ... and What To Do When You Fail
Marketers who collect data will lose it.
An incident will impact their brand's reputation and consumer trust, as well as that of partners and customers.
So planning and data stewardship is everyone's responsibility.
Those are the three rules of data breaches, as outlined by Craig Spiezle, executive director and founder of Bellevue, Wash.-based trade organization Online Trust Alliance (OTA). On Jan. 25, his organization released the "OTA 2011 Data Breach & Loss Incident Readiness Guide."
Because reported data breaches impacted more than 26 million records in 2010, costing US businesses $5.3 billion, the government is taking a closer look at whether companies are prepared to handle the problem, according to the OTA. Spiezle specifically cites the Commerce Department Privacy "Green Paper," which outlines the need for companies to have data breach preparedness in place, and notes that the policy recommendations could "hold marketers accountability for failure to take reasonable steps to protect their data."
Before marketers create data breach preparedness plans, Spiezle suggests you ask yourself a few questions:
- Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure? Do you have an accounting of all information stored, including backups and archived data?
- Do you have an incident response team ready to respond 24/7?
- Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
- Have you completed a privacy and security audit of all data collection activities, including cloud and outsourced services?
- Are you prepared to communicate the breach to customers, partners and stockholders?
- Do you have readily available access codes and credentials to critical systems in the event key staff are not available or incapacitated?
- Are employees trained and prepared to notify management in case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
- Have you coordinated with all necessary departments with respect to breach readiness? (For example, information technology, corporate security, marketing, governance, fraud prevention, privacy compliance, HR and regulatory teams.)
- Do you have a privacy review and audit system in place for all data collection activities, including that of third-party service providers? Have you taken necessary or reasonable steps to protect users' confidential data?
- Do you review the plan on a regular basis to make sure it reflects key changes? Do key staff members have hard copies of the plan readily accessible in their offices and homes?
While the OTA guide outlines 17 recommendations for interactive marketers, advertisers and commerce sites, Spiezle says direct marketers should "pay specific attention" to the following: