July 12, 2018
Five words no organisation wants to hear: “we have a data breach.” This is the stuff of nightmares, and with increasing value placed on data, companies should hope for the best but always plan for the worst. Here are some guidelines on what to do and not to do after a data breach has occurred:
When the Singapore arm of AXA Insurance suffered a data breach earlier this month, an email was sent to the 5,400 affected individuals, informing them of the data theft. This allowed customers to be vigilant against potential phishing attempts and to monitor for suspicious activities on their credit accounts.
In the interest of minimizing loss and reputational risk, it is best to notify customers of any known data breach as soon as possible. Inexplicable delays in notification are damaging to both organizations and customers. It took six weeks for Equifax to inform their 143 million customers whose private data was stolen – drawing criticism from the public and industry alike.
With the European Union’s General Data Protection Regulation (GDPR) coming into force in 2018, it will soon be a punishable offence for organizations to fail in informing customers of a data breach promptly, with maximum penalties amounting up to €20 million or 4% of their global annual turnover, whichever is higher. Moreover, the GDPR applies to any company that does business with EU citizens, even those based outside the EU.
In the rush to rebuild customers’ trust after a data breach, organisations should be cautious and avoid sending confusing or incorrect messages. It is imperative to find out exactly what happened before informing customers, to be in a better position to communicate pertinent facts. If investigations are ongoing, the organisation should issue a holding statement to notify clients it is aware of the issue and will provide further updates as soon as possible.
Both AXA Singapore and Equifax have been criticised for the lack of clear information provided to customers impacted by their respective data breaches. AXA did not give an official comment on exactly when the data breach occurred, whereas Equifax failed to even provide a definite answer as to which individuals were affected by the breach.
A sincere apology will go a long way in rebuilding customers’ trust. Taking ownership of the mistakes made leading up to the breach and offering constructive solutions will garner the best response from public.
Organisations should go out of their way to offer exceptional support to customers affected by the breach. Provide clear, concise instructions for affected customers to follow, whether it is resetting their account passwords, implementing multi-factor authentication protocols to their future login process, or the activation of credit-monitoring services.
Never brush off the potential serious consequences of a data breach or make it hard for customers to get answers. Appearing clueless is the last thing organizations should do in their external communications.
Avoid communication channels and methods that scream “spam”, or “phishing attempts” – only send emails from the organisation’s main domain, and link to helpful tools from the official website for customers hesitant to follow email links.
As a prime case of what not to do, Equifax infamously directed victims of its data breach to a fake phishing website for over two weeks – inattentive customers could have ended up leaking the very data they were concerned was stolen.
Avoid hasty or overzealous reactions after a data breach such as curtailing employees’ access to critical information, which might backfire and end up impacting productivity negatively. Organisations should undertake an honest assessment of the breach and fix any security flaws immediately. Also look out for other potential flaws and strengthen existing security measures to prevent future incidents. The remediation plan should also include employee training and monitoring programs, especially for cases of accidental and/or insider breaches, which make up the majority of incidents.
Ultimately, all companies should have in place a response plan in the event of a data breach. After all, “it's not a matter of if there is a breach, but when there is a breach.” And don’t neglect your physical data processes. It is surprisingly common for companies to spend millions on cyber security only to see paper documents full of confidiental data walk out the door.