Your organization may be sitting on a gold mine—or a land mine. The personal data you collect in the course of doing business is a treasure trove for identity thieves, and that makes you a rich target for criminal attacks. Your mission is to do whatever you can to stop them.
While identity theft can't be prevented, the right preparations make a breach less likely and mitigate the damage if one does occur. In many cases, your efforts will succeed. And if someone does get through your defenses, a clear, effective breach response plan—along with the resources you'll need to execute it—can save you, your customers, and your employees a world of hurt.
The world of data security is complex, and securing networks is a job for experts. But here, in broad strokes, are key principles to consider when preparing for the possibility of a data breach.
1. Know your risks.
First, think through exactly what your organization does with data, and especially with personally identifying information (PII). What information do you collect from customers, employees, or vendors? Where and how do you store it—in a file cabinet, on a laptop, in the cloud? Who has access? Are they properly trained? Are digital files encrypted? Are your premises physically secured? Do third parties—partners, consultants, contractors, service providers—process or store sensitive data on your behalf? What are their security protocols? Questions like these will help you map your exposure, identify risk factors, strengthen your defenses, and plan your response in the event of a breach.
2. Know your obligations.
When you accept responsibility for the PII of a customer, employee, or partner, you take on ethical, legal, and regulatory responsibilities as well. The details vary based on the type of organization you have and the jurisdiction you're in. Some records—health information, in particular—require specific protections. Whatever the specifics, it's your job to know and address them, and to remember that beyond the legal and regulatory requirements, you have an ethical duty to deal with the effects of a breach on each individual involved.
3. Minimize your risk.
After mapping out your data, your risks, and the legal and ethical requirements you must meet, evaluate how best to protect against intrusion, theft, and unauthorized access. We tend to view such defenses in terms of technology. To be sure, network security, data encryption, anti-virus and anti-malware software, rigorous password policies, and other tech-centric approaches are essential. Still, physical security, employee training, and personal trustworthiness also are crucial. Plenty of data breaches can be traced to an unlocked door, a background check that never happened or a simple mistake.
4. Make a plan.
Create a how-to plan for managing an information breach. Decide in advance what constitutes a breach and triggers a response. Once it exists, don't just put it in a drawer. You may not want everyone to know how your firewall is configured, but you do want data security to be a priority, and every individual needs to understand their role in keeping data safe.
5. Take action.
In a best-case scenario, you'll never reach this step. But if a data breach does happen, the following steps are essential:
- Identify the breach and launch a response. Determine that criteria for triggering a response have been met—then escalate the situation to the appropriate managers and experts within the organization to initiate the launch of a breach response plan.
- Investigate the breach. Determine its source, scope, duration and cause, all of which is essential to identifying whose data was exposed and how to prevent a recurrence.
- Report and notify. Alert the internal and external parties specified by your policies, contracts, and the laws and regulations that apply in your industry and jurisdiction.
- Remediate and recover. Plug the holes and repair the damage.
- Help the victims. Finally, help those affected by the breach. The law may require it, and ethical and business considerations make it a no-brainer. One important step is to provide a victim assistance program matching the nature of the breach and the information compromised—including access to a fraud expert, a means to review credit reports and ongoing credit and public records monitoring through a reputable service with a proven track record in dealing with data security and identity theft.
While the steps outlined above give the bare essentials, every organization has its own circumstances and specific needs. Above all, you need to know the signs of a breach and what they mean for your organization—and to understand, before that happens, how you're at risk and what your next steps should be. Your customers and employees are counting on you.
Adam Levin is the chairman and cofounder of IDentity Theft 911 and Credit.com. Adam’s experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.