Do’s and Don’ts of IT Security Breaches

The security breach that started it all took place in the United States over a decade ago in 2006. Laptops and hard drives were stolen from the home of a U.S. Veteran’s Affairs data analyst who apparently took his work home with him.

Sensitive personal information on 26.5 million vets and military personnel went out the door with the laptops, creating the biggest IT security breach ever for the U.S. government.

These days, organizations have wisened up a bit and taken steps to prevent physical theft of hardware. But as we all know, breaches often happen through hacking and insider involvements. They may happen through different channels these days, but the fact still remains: CEOs, CIOs and CSOs need to constantly be on their toes.

While your company may have data security standards in place, how about protocol for when breaches do occur? It’s equally important to know what to do if a breach takes place. Here are the main “do’s and don’ts” of IT security breaches.

1. Notify Customers

When Vodaphone Germany suffered a major cyber security breach in their popular modems a few years ago, hackers were able to gain control of PCs of WiFi and DSL customers.

That’s damaging to a telecom’s reputation but what could have been even more damaging was if Vodaphone hadn’t informed their customers right away. It’s best to ‘fess up and inform customers of any known security issues as soon as possible. One reason is so they can monitor their bank account and credit card activity for suspicious transactions. Another is trust.

Is it Mandatory?

Failing to notify customers of a data breach is actually soon to be illegal in the EU, where privacy and data laws are more stringent than anywhere else on the planet. Data breach notification laws have recently been passed in Australia, as well. While there’s no data breach notification law at the federal level, most states in the U.S. have laws on the books. Canada, like the EU, has strict laws at the federal level. Finally, New Zealand has proposed legislation in the pipeline but as of this writing, it’s still stuck in Parliament.

2. Notify, But Not Too Soon

In the rush to engender trust in your organization after a data breach, make sure you don’t notify too early. You’ll want to get all the facts straight so let investigators do their jobs first. They’ll work to find out what happened so that when you inform your customers, you’ll be in a better position to communicate all the facts.

3. In the Meantime, Issue a Statement

If you’re concerned about notification but investigators haven’t given you a report yet, a statement might do the trick until you make an official breach announcement. Tell customers you’re aware of an issue that may or may not affect them, and that you’ll notify them with details the minute you’re able.

4. Define Terms for Insurance Purposes

A security breach is not the same thing as a security incident. Knowing the difference will make your claims process easier and you’ll know what to expect as far as what notification costs are covered.

5. Work Breach Notification Into Your Customer Relationship Policy

If your organization has a customer-centered mentality, you’ll definitely want to cover breach notification under customer relationship management practices. Customers want to know that you’re looking out for their best interests, so it’s especially important that employees on the front lines of communications know how to handle information on data breaches.

These “do’s and don’ts” can serve as a starting point for your organization. If you don’t already have a breach incident protocol manual, it’s a good time to get started