How To Prevent a Customer Data Breach Disaster ... and What To Do When You Fail
Marketers who collect data will lose it.
An incident will impact their brand's reputation and consumer trust, as well as that of partners and customers.
So planning and data stewardship is everyone's responsibility.
Those are the three rules of data breaches, as outlined by Craig Spiezle, executive director and founder of Bellevue, Wash.-based trade organization Online Trust Alliance (OTA). On Jan. 25, his organization released the "OTA 2011 Data Breach & Loss Incident Readiness Guide."
Because reported data breaches impacted more than 26 million records in 2010, costing US businesses $5.3 billion, the government is taking a closer look at whether companies are prepared to handle the problem, according to the OTA. Spiezle specifically cites the Commerce Department Privacy "Green Paper," which outlines the need for companies to have data breach preparedness in place, and notes that the policy recommendations could "hold marketers accountability for failure to take reasonable steps to protect their data."
Before marketers create data breach preparedness plans, Spiezle suggests you ask yourself a few questions:
- Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure? Do you have an accounting of all information stored, including backups and archived data?
- Do you have an incident response team ready to respond 24/7?
- Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
- Have you completed a privacy and security audit of all data collection activities, including cloud and outsourced services?
- Are you prepared to communicate the breach to customers, partners and stockholders?
- Do you have readily available access codes and credentials to critical systems in the event key staff are not available or incapacitated?
- Are employees trained and prepared to notify management in case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
- Have you coordinated with all necessary departments with respect to breach readiness? (For example, information technology, corporate security, marketing, governance, fraud prevention, privacy compliance, HR and regulatory teams.)
- Do you have a privacy review and audit system in place for all data collection activities, including that of third-party service providers? Have you taken necessary or reasonable steps to protect users' confidential data?
- Do you review the plan on a regular basis to make sure it reflects key changes? Do key staff members have hard copies of the plan readily accessible in their offices and homes?
While the OTA guide outlines 17 recommendations for interactive marketers, advertisers and commerce sites, Spiezle says direct marketers should "pay specific attention" to the following:
1. Data classification: Audit the data being retained, where is it stored and how it should be destroyed. "Today, marketers collect, use and append a great deal of data, yet often do not have the discipline of knowing what is stored, who has access to it or where it is stored. ... They need to employ measures to protect the data (i.e. encryption) that is in transit (moved to service providers or employees) or at rest (stored or archived), and data that is in use."
2. Implementing data loss prevention technologies: Ninety percent of breaches can be prevented through best practices. According to Spiezle, "there are several best practices that are often overlooked or not adequately maintained," including:
- use of Secure Socket Layer (SSL), an encryption protocol for Internet communications, for all data collection forms;
- extended validation SSL certificates for all commerce and banking applications;
- data and disk encryption;
- multilayered firewall protection;
- encryption of wireless routers;
- default disabling of shared folders;
- dual factor authentication to limit or control access;
- security risks of password reset and identity verification security questions;
- upgrading to browsers with integrated anti-phishing and anti-malware;
- email authentication to help detect malicious and deceptive email and websites;
- upgrading to current browsers;
- enabling privacy and data collection controls;
- automatic patch management for operating systems, applications and add-ons;
- inventory system access credentials;
- remote wiping of smartphones; and
- use of Domain Name System Security Extensions (DNSSEC).
3. Creating an incident response team, which should have:
- a corporate officer or executive with broad decision-making authority;
- representation of all key internal organizations;
- "first responders" available 24/7, in the event of an after-hours emergency;
- a spokesperson trained with media and incident response who has a deep understanding of operations and security;
- a team of appropriately trained employees;
- someone who has access and authority to key systems for analysis and back-up;
- the appropriate authority and access to management to take actions that may require higher-level approvals; and
- a summary of key contacts, including after-hour numbers for both internal and external contacts, outside legal counsel, and the PR agency.
4. Creating a project plan that addresses:
- Who, internally and externally, needs to be informed and when?
- What data do you or your partners hold and how have you protected it?
- What changes need to be made to your internal processes and systems to help prevent a similar breach from reoccurring?
- How damaging will the loss of confidential data be to your customers or partners?
- How damaging will the loss of confidential data be to your business and employees?
- What level(s) of law enforcement should be involved?
- Are the answers above the same for all of your customer segments?
5. Who needs to be notified? Should you notify stockholders, consumers, partners, regulatory agencies and/or law enforcement agencies?
6. Drafting and communicating responses: "The goal is to create templates and draft documents, Web pages, FAQs and other supporting materials in advance," says Spiezle. Those can include:
- internal communications;
- partner communications;
- phone scripts;
- on-hold messages;
- spokesperson training;
- email and letter templates; and
- website and FAQs.
7. Providing assistance and remedies to customers or partners affected by the data breach: "This can range from credit reports to ID theft mitigation services," says Spiezle. "The need is based on the breach type and information disclosed."