Most Important Part in Mitigating a Data Breach
The other day, I was out to dinner and overheard someone saying they were going to take Lyft home. No offense to Lyft, but I’m pretty sure it was the first time I’d heard that. In fact, I think “Uber” has become the go-to word for anything related to borrowed transportation. But it’s verb status might be falling—for good reason.
Last month, it was revealed that the Uber—a company who arguably turned the paid-ride business on its head in the last few years—had covered up a massive data beach that revealed the personal information of literally millions of people—drivers and customers both. Let me be more specific: 57 million customers were impacted. But rather than informing customers quickly about the hack, Uber instead paid the hackers $100,000 to keep it quiet.
Let’s let that sink in for a moment. The company knew personal information had been breached—among millions of team members and customers—and then kept it a secret to avoid bad PR. It’s no wonder folks are turning to Lyft. In fact, in today’s increasingly marketplace, honesty is a hot commodity. And just like data, it’s hard to come back once honesty has been breached.
Indeed, according to IBM and Ponemon, the average cost of a data breach in the United States is $7.35 million. And by November 2017, nearly 175 million records had been exposed throughout the digital marketplace. This is an increasingly important issue—and it requires more than better security. It requires damage control.
Mitigating the Damage of a Data Breach
I know what you’re thinking: “This information doesn’t apply to me—my company is small and low-profile. We don’t have 1,000 records, let alone 1 million!” But it turns out half of small and mid-size businesses experienced a security breach in the past year. This is something every company—no matter how large—needs to keep top-of-mind as we continue to forge the digital transformation. The following are some things to keep in mind if—or when—your company gets hit.
Step 1: Communicate. It seems so obvious, but apparently—as in the case of Uber—it isn’t always the first thing people think of when a data breach occurs. Companies always need to have two communications plans in place—one for their internal teammates, and one for their outside customers. Both should be as transparent as possible, and should instill confidence that there is clear leadership and organization surrounding the breach itself.
Step 2: Fix it! Again—obvious. But you need to find the root of the data leak or hack and secure it as quickly as possible to limit the amount of data impacted. This could involve immediately placing a data forensics team, securing the physical environment, changing relevant passwords, and/or immediately roping in legal counsel to determine if the breach must be reported to any relevant governing agencies.
Step 3: Record it. Record every action you took following the breach, including who you communicated with, and when. It’s important that your company is able to prove to customers that you did everything within your power to limit the damage if you want to keep their faith in you intact.
Step 4: Revisit. As with any major event, it’s important to circle back with relevant parties to see how the issue was resolved, and how it could be handled better in the future. Update your communications plans based on feedback you received from customers so they know they were heard and cared for. If needed, update training to reflect new business policies surrounding data breaches. And as I shared just a few days ago, don’t be afraid to reevaluate how much user data your company really needs. The less data you collect, the less data that can be compromised.
And last, but not least—apologize. You’d be surprised how far a sincere apology will go in securing consumer confidence. In today’s market—where we speak, shop, and judge in real time, that apology needs to come quickly. If not, you won’t just be facing lost data. You’ll be facing a lost consumer base, as well.
Additional Articles on This Topic: