You just discovered that your company suffered a data breach. What now?
It's a question that strikes fear into businesses of every size. By definition, a data breach means that a business has lost control over sensitive customer records or other data. Sometimes the breach is unintentional, as in the case of a lost or stolen laptop. In other cases, there's no doubt that an intruder deliberately attacked a company's systems to get their hands on sensitive data.
Either way, it's a potential disaster for your business. Data breaches are expensive, and they're getting more so: According to a recent Ponemon Institute study, the average cost of a breach in 2010 was $214 per compromised record, up $10 from the year before. Those losses add up quickly for any business, but they can have an especially devastating impact on smaller companies.
And since the biggest data breach costs are related to customer turnover, a company could spend years restoring customer confidence and recovering lost revenue.
Obviously, the best way to avoid these costs is to ensure that a data breach never happens in the first place. But when your security measures fail and sensitive business data does escape, when and how your company responds can make the difference between a short-term crisis and a long-term calamity.
Step 1: Review Your Legal and Ethical Obligations
Data breach regulations can be quite complex; they typically involve a number of federal and state laws that dictate how and when to notify affected customers. Since some of these regulations may impose strict deadlines for reporting a breach, it's essential that you review and understand what's expected of your business -- preferably with the advice of an attorney.
At the same time, understand that a company's ethical obligation to notify customers about a data breach may exceed the letter of the law. A business that loses customer credit card information, for example, may not be legally bound to pay for credit report monitoring for its affected customers. But if you're serious about protecting your reputation and your business, simply following the letter of the law in such cases will not be enough.
Step 2: Don't Panic -- and Don't Rush Your Response
As the Ponemon Institute and other sources have noted, many companies act as quickly as possible to respond to a data breach and notify their customers. As it turns out, these "quick responders" actually pay more per breached record than companies that wait a bit longer to execute their response strategies.
Why? The most likely explanation is that quick responders don't have time to gather all the facts before they respond. They may have a limited grasp of the number of breached records involved, and as a result, they may notify too many (or too few) customers that their information was exposed.
This turns into a vicious cycle: Companies end up spending as much time correcting the impact of their own misinformation as they do dealing with the impact of the original breach.
Keep in mind, however, that "getting the facts" isn't an excuse for covering up or minimizing a data breach incident. Also, remember that data breach regulations always trump a company's own judgment when it comes to notification deadlines.
Step 3: Perform a Postmortem, and Act on Your Findings
The worst thing any business can do is to assume that data breaches are an unavoidable cost of doing business. The vast majority of breaches involve a failure to apply technology properly, so it is not only possible to remedy these failures, it is absolutely essential.
Consider the example of a lost or stolen employee laptop. It happens every day, and inevitably, some of those laptops will hold sensitive business data.
It's impossible to solve the lost laptop problem -- we all understand that it's going to happen. But your business can impose strict data encryption requirements on these systems or require employees to store sensitive data on your network, accessing it only through a VPN connection. Businesses can also combine these technology tools with policy and training measures that hold employees responsible for violating data security policies.
A data breach postmortem might turn up additional ways to improve how your company uses information technology. Network and endpoint security, antimalware tools, antiphishing tools and policies, and other solutions can work together to protect your data and your business.
Finally, consider hiring an outside consultant to perform a post-breach security audit of your company's systems and data handling procedures. You may think you know why a breach happened, but an objective, outside analysis might turn up a very different set of answers to that vital question.
Step 4: Keep Your Customers in the Loop
Technology can play a vital role in helping your company avoid future data breaches. Tech solutions are even more powerful, however, when your customers know that you're working to protect their security and retain their business.
This isn't a matter of deluging customers with technical details about your security procedures -- that's as pointless (and dangerous) as it sounds. But if you're developing new policies and procedures, or perhaps investing in new network security and encryption tools, let your customers know that you're making those investments.
Will that information keep every customer affected by a data breach from going elsewhere? Probably not. But it will give many customers the confidence in your security commitments to stay with your company. And ultimately, that confidence -- or lack thereof -- will determine how quickly your business recovers from a data breach incident.