How To Prevent a Customer Data Breach Disaster ... and What To Do When You Fail
1. Data classification: Audit the data being retained, where is it stored and how it should be destroyed. "Today, marketers collect, use and append a great deal of data, yet often do not have the discipline of knowing what is stored, who has access to it or where it is stored. ... They need to employ measures to protect the data (i.e. encryption) that is in transit (moved to service providers or employees) or at rest (stored or archived), and data that is in use."
2. Implementing data loss prevention technologies: Ninety percent of breaches can be prevented through best practices. According to Spiezle, "there are several best practices that are often overlooked or not adequately maintained," including:
- use of Secure Socket Layer (SSL), an encryption protocol for Internet communications, for all data collection forms;
- extended validation SSL certificates for all commerce and banking applications;
- data and disk encryption;
- multilayered firewall protection;
- encryption of wireless routers;
- default disabling of shared folders;
- dual factor authentication to limit or control access;
- security risks of password reset and identity verification security questions;
- upgrading to browsers with integrated anti-phishing and anti-malware;
- email authentication to help detect malicious and deceptive email and websites;
- upgrading to current browsers;
- enabling privacy and data collection controls;
- automatic patch management for operating systems, applications and add-ons;
- inventory system access credentials;
- remote wiping of smartphones; and
- use of Domain Name System Security Extensions (DNSSEC).
3. Creating an incident response team, which should have:
- a corporate officer or executive with broad decision-making authority;
- representation of all key internal organizations;
- "first responders" available 24/7, in the event of an after-hours emergency;
- a spokesperson trained with media and incident response who has a deep understanding of operations and security;
- a team of appropriately trained employees;
- someone who has access and authority to key systems for analysis and back-up;
- the appropriate authority and access to management to take actions that may require higher-level approvals; and
- a summary of key contacts, including after-hour numbers for both internal and external contacts, outside legal counsel, and the PR agency.
4. Creating a project plan that addresses:
- Who, internally and externally, needs to be informed and when?
- What data do you or your partners hold and how have you protected it?
- What changes need to be made to your internal processes and systems to help prevent a similar breach from reoccurring?
- How damaging will the loss of confidential data be to your customers or partners?
- How damaging will the loss of confidential data be to your business and employees?
- What level(s) of law enforcement should be involved?
- Are the answers above the same for all of your customer segments?
5. Who needs to be notified? Should you notify stockholders, consumers, partners, regulatory agencies and/or law enforcement agencies?