A pattern I see repeated in all kinds of business disputes is that when a business fails to calculate the risk of something going wrong, it makes it even harder to repair it when does go wrong. Notice, the title of this post refers to “when” you will have a data breach, not “if.” This is not to be alarmist. In fact, many data breaches are harmless. Surprised to hear that? What about an employee using internal records to locate a co-worker’s home address to send a gift? Is that a date breach? Well, it depends on your policies and authorizations, but, even if it is a “breach” it may not be one that causes damages.
The question is what can you do to prepare for the one that does cause damage? Do you segregate data so that any breach will reach a more limited segment of your employees or customers? Do you encrypt data? According to recent reports, Anthem did not encrypt its data and that will cost it. How can you avoid this, plan, plan, oh yeah, and plan.
Your first line of defense should be to gather your crisis response team and open the crisis response playbook? You don’t have a team? You don’t have a playbook? If that’s the case, you aren’t ready to be in the game. Here’s what you need to know to get started:
Assembling a crisis response team:
- Identify key information holders within your organization (who will manage customer relationships, public relations, legal compliance, technology compliance, data security, and restoration of business functions?).
- Identify outside resources that will be needed (who has the knowledge of applicable laws in each state/country you operate or can coordinate counsel, who has the expertise to identify and stop leaks, who has the media relations that will help get your message out?)
- Establish a chain of command and a division of duties so everyone knows their role and who is coordinating the response.
Creating a response playbook:
- Develop a set of compliance procedures.
- Identify contingency plans to using backup data or otherwise accessing key information.
- Develop an exhaustive checklist to ensure you do not overlook potentially crippling problems.
When you create a crisis response plan, focus on the short term, so you know what to do right away. In the months following a data breach there will be time for information gathering and refinement and a good crisis response plan will put you in the best position to confront those medium term problems in due course.
Questions? Let me know.