[BreachExchange] Communicating Data Breaches with Employees

[Audrey McNeil]

http://blog.backup-technology.com/15056/communicating-data-breaches-employees/

Data breaches happened less frequently in the past. With the increased
activity in ransom-ware, data breaches are now becoming a daily
occurrence.  Major corporations like Sony, Domino’s and Home Depot have
been hacked. It is believed that there will be more data breaches in the
coming months and years. If, as an employer, you find yourself in the
unfortunate situation of a data breach, how are you going to communicate
the breach to your employees?  What happens after the security breach?

Be Transparent

Employers should notify the breach to employees as soon as possible once
they have all the facts about the breach.  Employees have the right to know
about the breach incident directly from the employer, rather than from the
rumours circulating. On the other hand, the companies are also required to
make sure that workers will keep the shared information strictly
confidential or at least until it is officially announced.

An Inside Job?

It is essential to ensure that employees are receiving the right
information in a timely fashion. Tell them that concerned department has
started investigations about the matter; without divulging too much details
into the breach, so as not to alarm the culprit in case it is an inside-job.

An Outside Attack?

Share more detailed information (as they become available) about the
breaches if your investigation confirms that the cause is not internal.
Update them as frequently as possible.  This will ensure that the workers
are not worried about their personal information. Personal information,
like: address, social security numbers, birthday, salary amount, etc. could
be recipes for an identity theft.

Personal Information

You need to think about Data Protection Act (DPA). In the UK, for instance,
businesses must adhere to DPA. This act ensures that employers holding
personal information on their workers must keep the information safe and
secure. DPA is very helpful to avoid information breaches.

Businesses must report data breaches to the Information Commissioner in the
UK. It also makes sense that employers inform and update their employees at
the same time. If it is confirmed that employees’ personal information have
been compromised, then the employer should offer support to its affected
employees. Advice such as what the next steps should be and what to do if
unauthorized credit card transaction is posted in their account. Detailed
procedures should be described so that the victims can take immediate
action whenever they face identity theft or unauthorized bank transaction.

It would be better to develop a database or provide a fully dedicated
hotline so the staff can call and ask questions about the breach.

Official Press Release Statement

It is important to communicate with all employees, informing them that they
are not authorized to speak to the press media about the incident at all
times. Tell them that it is a standard process and everyone should obey
this because the breach is related to company’s reputation and business.

Remember that data breaches are juicy stories. Reporters and bloggers love
to write about them. Many true and false stories will be written. The key
is to share the details with employees and release an official press
release. You can win the trust of your employees by sharing timely
information with them. This will give them more confidence and they will
not share the details outside the company. The last thing you want is for
the employees to learn about the breach from a third-party website or other
traditional media.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160616/2e8d4faa/attachment.html>