Data breaches are becoming increasingly common, according to many reports. While companies should strive to minimize their exposure, they should also have plans for dealing with incidents when they do occur. Organizations could especially benefit from planning how they will resume operations and how they will handle the process of notifying their customers.
If a network breach occurs “late on a Friday, you want to be operational in hours, not days,” said Chris Shenefelt, an executive vice president at Intersections Inc., which helps companies manage the resolution process. Shenefelt spoke at a recent panel on data breaches at a conference sponsored by the Online Trust Alliance.
The first step in planning is to identify who in the company will be responsible for various aspects of breach response, including legal issues, IT, and public relations, agreed panelists.
Companies should also reach out to third-party providers of breach-resolution services before a breach occurs. For example, management should identify one or more credit monitoring or fraud prevention providers that the company wants to work with to offer assistance to customers in the event of a breach, said Shenefelt. Companies should, at a minimum, offer credit reports from all three major reporting agencies as well as at least a year of credit monitoring, he said. Customers should have at least 90 days to enroll in the program.
In most cases, organizations should also offer credit scores and identity theft insurance, he said. Scores do not necessarily help prevent fraud. Insurance, in Shenefelt’s experience, rarely results in generous compensation for incidents. But companies should consider such offerings because “customers really like them.”
(To finish reading "Data Breach Preparedness Plan" from the March issue of Security Management, click here.)
♦ Photo by aless&ro/Flickr