02 Jun 2014

How To Manage A Data Leak

Every organisation tries to prevent data leaks from happening, but even the best security policies can go awry. Malware and employee unintended action (or even intended action at times) are both very common causes for data leaks, and these can occur with even the most robust of security policies in place. For instance, social engineering strategies from hackers can bypass an organisation’s security completely, and because social engineering works from a hacker contacting a human with an organisation, hackers are also able to rely on the capacity for humans to make mistakes. For this reason every organisation also needs to have a clear and defined strategy planned for managing a data leak should one occur.

Below you’ll find some basic steps to efficiently manage a data leak. Each organisation will need to form their own unique plan that takes into account their business and the sector that it operates in, but the steps below can be a helpful thinking process to build upon as a template:

1)      Make sure you’re aware of precisely what data has been compromised.

Many organisations are not fully aware of the specifics of the data they store. When it is then breached, they’re largely blind as to what, exactly, was stolen. In order to manage the damage and fall out from a data breach, the first point of call should be to determine what data the organisation is carrying, why it’s carrying that data, and from there it’s possible to assess the possible damage that the breach could cause. This needs to be done before any communication leaves the organisation, otherwise you’re simply not going to know what to tell your customers.

2)      Work out who to notify.

The immediate urge in the event of a data breach is to notify everyone and then scramble to resolve their individual concerns. But telling every customer about the breach immediately, without being sure if their specific data was taken, will simply cause confusion. Instead, work out whether it is only a percentage of customers that are at risk, and if so, notify them immediately. Later on you’ll want to notify the rest of your customers to assure them that their data was not compromised, but the immediate goal needs to be to address those genuinely at risk.

3)      Communicate only when you can be sure the information is accurate

There are regulatory conditions on how soon an organisation needs to notify customers in the event of a data breach, but if there is a window of time, it’s better to adopt the strategy of holding off sending notification messages until enough accurate information has been gathered to communicate accurately and effectively. While it’s never a good look if your customers think you’re withholding information, getting the statement wrong and causing confusion amongst your customers is an even bigger issue.

4)      Say the right things

It might be a good idea to set up template email and webpages in advance so that, in the event of a data breach, the templates can have specific information written into them and sent out to customers. This saves time, but more importantly, in the event of a data breach, rushing to write a full statement explaining the issue could cause mistakes to be made. The fewer potential areas with which miscommunication can occur, the smaller the risk that the communication can cause confusion and exasperate the problem.

Organisations also need to be keenly aware of their regulatory requirements before a data breach occurs. If there’s no compliance officer in the organisation (which can happen with small businesses), then the managers themselves need to know this information. The response to a data breach is as important to the regulators as the prevention of them, and so every organisation needs to have a clear strategy in place for if the worst happens.