Focused on recovery: When your data is breached

Major computer security breaches seem to make the headlines daily now. From Target to the U.S. Office of Personnel Management to Trump Hotels, it seems no organization is immune to hackers determined to use a growing arsenal of sophisticated tools to infiltrate even the most advanced security protections.

According to AV-Test.org, there are more than 390,000 new malicious programs received every day. With those kinds of numbers, there is no guarantee that personal financial information can be completely protected by any organization. In fact, even the companies dedicated to protecting consumer financial data have become victims of data breaches.

LifeLock, one of the leading companies in the identity-theft protection business, is currently in trouble with the Federal Trade Commission (FTC) for just this reason. The FTC recently filed charges alleging that LifeLock violated a 2010 settlement in which the company vowed to stop making deceptive claims about its services and implement stronger measures to safeguard its own customers’ personal data, including credit card, Social Security and bank account numbers. The FTC said that, for a period of time, LifeLock failed to adequately guard the personal data it collected.

And just the other day, Experian, one of the primary companies dedicated to protecting consumers, said it suffered a breach that may have exposed the data of about 15 million U.S. consumers.

If you are the CIO of a business that routinely deals with consumer financial information, you are likely nervous, too. And because there is no way to ensure your business is 100% protected against a breach, you should be prepared to deal with one should it occur.

Covering the bases

If your business suffers a data breach, you will likely be overwhelmed at first. The most important things to focus on, however, are fixing the breach and reporting it to authorities.

First, solve the problem. Fix the data leak and test it to ensure it is truly fixed. This is critical to do before you announce that a leak has occurred, because you must also be able to ensure your customers that you are doing all you can to fix the problem.

Next, form a team to deal with the breach. The team should include a pre-designated spokesperson, ideally a technically-minded member of the C-suite such as the Chief Risk Officer, CIO, or CTO that can field technical questions that may come up. The team should be pre-prepared to step up in this situation and understand that they will be working with authorities to relay details of the breach and communicate progress.

Once the problem is under control and your team is formed, notify the critical parties, which may include local authorities, the internal legal department, and the public relations department, among others. Make sure to include a full apology for the breach; information about the nature of the breach, what was compromised, and how consumers can protect themselves going forward. Be sure to relay to your audiences that your company takes such issues very seriously.

Repairing your reputation

Once the smoke has cleared, you likely will still have work to do to mend your company’s reputation, and that could take time.

A survey from Experian and the Ponemon Institute found 54% of companies believe it can take anywhere from 10 months to more than two years to restore a company’s reputation following a data breach.

In the meantime, continue to do all you can to protect your company from becoming the victim of a breach. The efforts are well worth it and a lot less expensive – both financially and from a reputational perspective -- than the alternative.