Data Breaches: Being Prepared for When (Not If) it Will Happen to You

In our ever-more-cyber world, there is no getting around one very disconcerting fact: data breaches are going to happen. Almost every week brings a new story of a company or organization reeling from a data breach.

From high level government offices to the executive suites of the world’s biggest media companies, to small companies that may think they’re too small for cyber criminals to bother with, no one is immune. The damage and monetary cost of a serious hack is only growing. Brand reputations are being sabotaged. Trust in governments to keep confidential data safe is being eroded. Data thieves are becoming both more common and more brazen in their attacks and strategies. Companies of every kind cannot ignore the likelihood that data breaches are going to happen, and preparedness is the key to keeping damages to a minimum.

Having a Plan Is Crucial

Companies need to have a plan in place to deal immediately with the fallout from a data breach. That plan must include all the key stakeholders inside the organization. That of course includes IT. But it also includes HR, communications/PR, and the executive leadership. And the list should probably begin with legal counsel.

Legal counsel can guide the company through the difficult task of informing the proper parties involved. Counsel will also guide you through the process of dealing with the vendors who can trace the breach and provide forensic information on the breach.

Your Company Is Responsible for Proper Response to a Data Breach

Data breaches are particularly insidious because they often deal with a personal individual’s confidential information. Governments have strict regulations on just how a company should deal with the release of personally identifiable information (PII), which typically accompanies data breach. There are many aspects to these regulations that are best navigated with legal counsel – so again, any data breach response plan must include legal counsel throughout. If the regulations are not followed regarding your response to a breach, you could face fines.

Get the Message Out – Carefully

After coordinating with your legal counsel and preparing to execute your plan, getting the message out about your data breach is important to everyone involved. Immediate contacts include:

  • Law Enforcement
  • Credit Card Companies and Processors
  • Customers
  • Vendors
  • Clients
  • Employees

Your plan should include who the main contacts are, and when to reach out to them. Do not make any contact with these groups without first consulting legal counsel – there may be regulations around when and how these groups need to be informed.

Put Your Plan to the Test

Nearly as important as having an action plan is practicing the implementation of that plan. Doing this will help companies see where additional resources may be needed, and where plans need to be adjusted and more robust. It will also help organizations better understand how carefully data breaches must be handled. A test alerts employees to the serious nature of this type of intrusion. The test will keep everyone more focused and prepared when an actual event does occur – and perhaps raise employee awareness of the risk and reduce the likelihood of a breach occurring.

Commitment and Professionalism

There is no better way to prepare for a fire than to have fire drills. The same is true with data breaches. By having a detailed plan in place to protect your company in the event of a data breach, you show a level of commitment and professionalism toward not only the handling of the breach, but toward the general handling of sensitive information. Being better prepared and knowing exactly what to do is not only smart, but it protects you and your clients from further damage.

So whether it’s tomorrow or years from now, a data breach is probably coming to your company. Being fully prepared is one of the best things you can do for your company, your personnel, your vendors and clients, and all of the others affected by theft of personal or other proprietary information. A few steps and procedures can make all the difference when it really counts.


Peter FosterGuest blogger Peter Foster is Executive Vice President, Willis Americas, FINEX North America. Based in Boston, he consults with companies across varied industry sectors on emerging risks associated with network security and privacy, media, technology, errors & omissions and intellectual property.  His previous post on WillisWire was Cyber Insurance Market Has Key Role to Play in Boosting Cyber Security.

Categories: Cyber Risk | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *