[BreachExchange] Suffered a data breach? Here’s how you manage the fallout

Fri Jul 6 15:32:11 EDT 2018

https://securitybrief.co.nz/story/suffered-data-breach-
heres-how-you-manage-fallout/

If your business was to fall victim to a data breach, would you be prepared
to notify your customers?

While having an incident response plan is key, so is good communication.

Over the past week, we’ve seen several examples of high-profile businesses
falling victim to data breaches.

The fact they were breached in the first place is not surprising as
virtually every business that operates online is at risk of cyberattacks.

What’s more surprising is how some of these breaches have been managed –
particularly in regards to communication.

With changes to New Zealand’s Privacy Bill expected to come into effect in
the next 12 months, businesses should already be starting to put some
serious thought into what they would do if they were to fall victim to a
data breach.

Creating an incident response plan is a great place to start.

What this incident response plan looks like will vary from business to
business, but at the very least it should give key stakeholders within your
business a clear plan and overview of what needs to be done, by whom and
when.

>From a communications point of view, an incident response plan should do
one thing: reassure your customers that you care.

Based on what we’ve seen in the news of late, some have failed at this.

Good communication is a key part of any crisis or incident response
function.

Without it, people are left asking questions, they make assumptions and
they feel disregarded – all of which will ultimately affect how they view
your business; and whether they choose to interact with it in the future.

So, how do you reassure your customers in the event of a data breach?

1. Act fast

If your business were to be breached and sensitive customer data (credit
card details, address, passwords etc.) has been compromised, act quickly
and let customers know as soon as possible.

Don’t sit on it for weeks or months, work with your IT team or an external
security provider to quickly gather the facts, recommend a course of action
and notify customers.

In the case of the Ticketmaster breach, I received an email notifying me
that my credit card details may have been compromised and that I needed to
reset my passwords as a precaution.

This is what I would expect any company I do ‘business’ with to do in the
event of a breach – particularly if my data is affected.

Am I concerned that my credit card information may have been breached? Yes.
Will I stop using Ticketmaster because of the breach? No.

2. Be transparent

Don’t leave room for interpretation, provide all the facts and outline the
issue so customers know what has happened, what data has been affected,
when and how.

Trying to cover up the severity of a situation will only make things worse.

3. Just apologise

All too often, businesses struggle to do one simple thing: apologise.

Put yourself in your customers’ shoes.

Is the breach your fault directly? Probably not.

Does this mean you shouldn’t apologise for the inconvenience? No.

For the average person, a breach of their data is a violation of trust and
privacy, particularly if any personal information is involved.

Business and personal relationships are really quite similar - as with any
situation where you may have unintentionally done something to upset
someone– it’s best to say sorry, acknowledge the incident and outline what
you are going to do about it (full review, increase security, change
third-party providers).

4. Over-communicate

If the incident isn’t resolved, or if there is still a risk, let customers
know that the situation is ongoing.

It’s also important to let them know how you plan to update them so they
know where to look for updates.

These could be email updates, a dedicated page on your website or Twitter
updates.

Ideally, it should be a combination of several forms of communication as
not all people are on Twitter, for example.

If the issue is widespread and a large number of customers’ sensitive data
has been affected, you may need to consider running notifications in the
media (similar to what happens with a product recall).

Responding to a data breach doesn’t have to be complicated.

Having an incident response plan in place to deal with cyberattacks and
data breaches is part and parcel of doing business today.

Of course, when compulsory data beach notification comes into play here in
New Zealand, it will also be non-negotiable – so why not get everything in
line now?

It takes a long time for businesses to build a good reputation.

Without a good plan in place to deal with customer communications in the
event of a data breach, businesses are putting their reputation at
significant risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180706/6b28529f/attachment.html>