Hacking and data breach are now about as common as shoplifting. Incidents like those that occurred at Target and Snapchat are everyday business news (and the topic of endless meetings, conferences and symposia). While some companies are clearly better at risk analysis than others, the increasing sophistication of hackers (from recreational to state-sponsored) should place data breach on top of the assessment and planning agenda. The question is, why do the responses to some of these recent incidents seem so inept (or at least ill-planned)?
Using coverage in the business media as the only guide, company strategies often seem to range between “hope no one finds out” and “we’ll tell ‘em only what we have to (i.e., creeping candor)”. In the history of crisis management, neither of these approaches has proven very effective.
If there are any lessons from companies that have managed this process successfully, they are based on the central planning assumption that “what can be known, will be known.” While perhaps not literally true, the increasing number of malicious hacks, coupled with the myriad of state and federal regulations that require notification, virtually assure a breach will become public at some level…and particularly with consumer brands. Other lessons include:
[li]If you don’t control the news, it will control you. Companies need to control the message (through traditional, digital and social media) by being the first and primary source of information on the breach. [/li]
[li]Prepare to respond in real-time. Incident response plans (business continuity, IT, communication, etc) need to be fully integrated, so the company’s response(s) can be both immediate and closely aligned.[/li]
[li]Simple notification is not enough. The individuals who are affected by the breach (whether customers, employees, patients or suppliers) should be treated like you would your own family…prompt notification, free monitoring and identity repair services and a 1-800 call center). [/li]
[li]Planning is essential. Include data breach scenarios in crisis planning/response drills and exercises. [/li]
[li]Review risk transfer options. Cyber risk insurance policies can cover a wide-range of breach related costs, including forensic analysis and notification costs. [/li]
The Hawthorn Group L.C.
 “Plans are useless, but planning is essential,” Gen. Dwight D. Eisenhower