Somewhere in about 1999, Scott McNealy, CEO of Sun Microsystems, shocked many people by saying that “privacy is dead, get over it.” Apparently, though, as hundreds of companies are finding out in various data breach events, the privacy of people’s data really matters to a great many people.
According to an article from Varonis.com less than 20 percent of people would continue to use a hotel chain if it was revealed they had a major data breach and fewer than 17 percent would continue to use a bank that had a major breach. Rideshare services, such as Uber, took the biggest hit, with only 7 percent trusted with their data and business again after a breach.
Fines and data breaches go hand-in-hand.
And it’s not just the brands that take a hit. According to CSO Online Equifax agreed to a $575 million dollar settlement with the Federal Trade Commission. British Airways was fined $240 million by ICO, the UK’s Data Handling Organization for poor security that allowed an outside group to skim over 500,000 credit card. Uber was fined $148 million dollars for the poor security allowing hackers to breach the accounts of 600,000 drivers. Marriott International paid a fine of $124 million by ICO after poor security of 500 million accounts, that lasted for several years.
According to the Varonis article, over 85 percent of customers have told a friend what they know about the breach or breaches, a third complain about the company’s privacy policies on social media, and another 20 percent comment directly on the companies own website.
What to do about a breach
According to independent corporate attorney David Page, who also consults with many corporations on intelectual property law, there are several steps to handling a data breach:
Get ahead of the media onslaught – No matter what you do, there will be heavy media scrutiny. But, if you release the information first rather than have it announced and discovered by others, it’s so much worse.
Threat share – Some organizations will gladly spread the news on the breach fairly and responsibly. Rely on them to spread the news.
- Come up with a complete notification plan.
- Get the IT department, the department, and legal together with top corporate executives to come up with a complete, organized plan, including notification to those affected.
- Hire a competent Chief Information Security Officer
- The new CISO will help show how serious the company is in restoring confidence and security.
- Be as transparent as possible
- Transparency with everyone, including investigators, forensic security officials, the public and the media, are essential.
Attorney Page also shares a few things not to do:
- Don’t pay hackers and try to keep it quiet
- This is what got Uber is so much trouble. They attempted to pay $100,000 to the hackers to make the breach disappear.
- Don’t wait to notify the public
- The longer you wait, the worse it gets. A breach is sort of like a band-aid. Pull it off and let the consequences unfold.
- Avoid necessary retractions
- You should avoid making statements until all the facts are in. Retraction of previous statements merely weakens your companies position further.
- Avoid the firing trap as a solution
- Some companies, anxious to get the damage of their reputation repaired quickly, simply fire a few key individuals such as the head of IT and even the CEO. But that’s no substitute for the hard work of really managing and avoiding data breaches through a weak security structure.
Ultimately, both fines by governments, as well as customer loyalty disappearing, will force companies to pay more attention to how they handle data and privacy. Get ahead of it now, before you are forced to make costly changes.