I recently wrote a piece of article for Linkedin Pulse about data breach response which had great feedback from the readers that I want to further analyze. In summary, the article was about the steps that companies must take to respond to data breach incidents regardless of where the breach had occurred. Obviously companies would take somewhat different actions depending on whether the incident occurs within their business boundaries or elsewhere, however, the smartest companies will learn from the incidents occurred elsewhere and be prepared to deflect any attempts to defraud them and their customers with the stolen information. Data breach incidents occurred elsewhere are great opportunities to learn from and teach employees about risk management without spending the money that the affected company must spend to manage their post-breach risks.
After reviewing and responding to some of the reader feedback, there were a few points that I wanted to bring up and further analyze. First, the image posted on the article stated “Breach Proof” was confusing to some readers because the article is about responding to data breach incidents. The point that I wanted to emphasize with the article graphic was that companies can be fraud proof after data breach incidents. Just because consumer information is stolen from companies, it doesn’t mean that the personal data can be used to defraud companies and consumers. This is one of the reasons that the Red Flags Rule was introduced in the US to require companies to be prepared to deflect any and all fraud attempts using stolen information no matter how or from where the information is stolen. Personal information is often stolen for fraud purposes although hackers, thieves, and breach masterminds may steal company information for other motives such as to prove their skills, punish the company, espionage, etc.
Second, company management which experiences a data breach often seems to be surprised about the breach and the volume of stolen data. I think that given the frequent reports of data breach incidents at some of the largest and well funded companies, it is realistic to expect that a data breach is inevitable at one point or another and the best that we can hope for is that the incident happens somewhere else. Once we realize this inevitable event whether at own companies or somewhere else, we can then act quickly to plan for a formal data breach response. Notice I used the words "quickly" and "formal" because time is not often on the management side and the plan must be approved at the highest levels to be well funded and supported. An effective data breach response will take into consideration many risks that must be managed, including risks arising from data stolen elsewhere. For example, an identity fraud prevention program aligned with government approved techniques will not only ensure effective fraud prevention but also compliance with the regulations which I expect to be a high risk for companies given the breach and fraud correlations. When risk management and regulatory compliance join each other as if they are one and not separate from one another, then we are on the right track.
Third, business reputation management seems to be on the top of the priority list of the data breach response probably because companies think that their customers will be turned off and leave their business after learning about the data breach news. When companies think this way, it means that they view a data breach to reflect negatively on their part. This assumption may be true, but it is even more important to convey a message to customers before and after a breach occurs which says that:
a) we are doing everything to protect your information and here’s how we do it,
b) data breach is inevitable anywhere,
c) when a breach occurs, we will inform you as soon as we have completed our impact assessment and inform you about your risks and what we are doing to respond,
d) we will provide you with an identity protection service.
e) we have a fraud management program to limit your losses and we take full responsibility for any fraud occurred in our business boundaries.
And lastly, a company should be as concerned about having a fraud prevention program as a data breach prevention program because stolen data from one company can be used to defraud consumers elsewhere. That said, your company and customers not only face the consequences of your own data breach incidents but also the consequences of stolen data from elsewhere.