Large-scale data breaches continue to fill the news cycle, with entities like Under Armour, Panera Bread and Equifax all recent victims of costly information contraventions. Ponemon Institute, an organization that conducts independent research on privacy, data protection and information security, reported in a 2017 study that the average data breach is estimated to cost companies $3.6 million, exposing on average 24,000 records.
Those are big numbers, not to mention the negative hit on an organization’s reputation. Yet, surprisingly, companies still appear to be largely reactive regarding cyber threats rather than proactive, even though it’s ultimately their responsibility – both ethically and legally – to ensure that protected information on clients, customers, suppliers and employees is safeguarded.
Thankfully there are some clearly defined steps you can take that can go a long way toward minimizing – or even preventing – an information breach. Start by reviewing your general network security:
Assess the vulnerability of computers and servers where sensitive personal information is stored.
Use encryption when receiving or transmitting classified data to or from third parties over public networks, or when storing on your computer network, laptops or portable/wireless devices.
Run up-to-date antimalware programs and install vendor-approved vulnerabilities patches on network computers and servers.
Restrict employees’ ability to download unauthorized software.
Employ a firewall.
It’s equally important to have a comprehensive response plan in place. Companies have slowly begun implementing incident response teams designed to eliminate or mitigate potential cyberattacks, an effort the Ponemon study suggests can reduce the average cost of a breach by 13 percent. Depending on the size and nature of the company, your team might include internal forensics, legal, IT, operations, HR, communications, investor relations and management.
This assembly is critical because breaches can and do happen. And whether hackers procured personal information from your corporate server or an insider stole customer data, immediate action is required.
First, stop the bleeding. Take all affected equipment offline and move quickly to secure systems and fix vulnerabilities that may have caused the breach. Simultaneously activate a communications plan that reaches all affected audiences, both inside and outside the organization: employees, customers, investors, business partners, other stakeholders. Use letters, websites and toll-free numbers to communicate with individuals whose information may have been compromised. If appropriate, consider issuing a press release and/or providing other news media notification.
If the breach involves electronic health information, you may have to notify the Federal Trade Commission or the Department of Health and Human Services. If names and Social Security numbers have been stolen, contact the major credit bureaus. And don’t forget law enforcement; many states and federal regulatory agencies have legislation or guidelines addressing data breaches. Consult legal counsel.
In your communication, clearly describe what you know about the compromise. Include how it happened, what information was taken, how the thieves have used the information (if known), and what actions you’ve taken to remedy the situation and protect individuals. Provide contact information. Don’t make misleading statements about the breach and don’t withhold key details that might help consumers protect themselves and their information.
This is not only good practice, it may shelter you legally as well. While there currently are no criminal penalties for failing to protect personal information, businesses can be considered negligent if their systems are not designed to prevent risk of material harm. The FTC has been known to bring legal action against organizations that have violated consumers’ privacy rights or misled them by failing to maintain security for sensitive consumer information.
Best advice: don’t be caught off guard. If you’d like to discuss how to minimize data risks in your organization, contact Kaplan CFO Solutions.