The Top Mistakes Companies Make In Data Breaches

In just the last three weeks, we've been provided several salient reminders that data loss and theft are fast becoming a cost of doing business in the digital age.

First, there was The Washington Post's report on Shodan, a search engine that boasts of its ability to "expose online devices' including webcams, routers, power plants, iPhones, wind turbines, refrigerators, and VOIP phones. According to the story, even "moderately talented hackers" using the Shodan platform have been able to access supposedly secure systems that run water plants, power grids, and a number of other automated services we depend upon every day. In just the last two years, Shodan has accumulated data on almost 100 million devices that are in some way connected to the Web.

Shortly thereafter, it was reported that the wildly popular professional networking site LinkedIn had lost nearly 6.5 million usernames and passwords to a hacker that posted the confidential information to a Russian Web forum. Given that this breach lacked the scope, reach, and severity of the major data loss situations we've recently witnessed, most of us barely batted an eye after changing our passwords. That is, until the realization that many of the compromised usernames and passwords are likely exactly the same as the enterprise email addresses and passwords of the affected LinkedIn users—meaning that many sensitive business email accounts were exposed as well.

Finally, there was the release of Shred-it's Second Annual Information Security Tracker, which found that despite the growing complexity and probability of the threat, a startling number of small businesses aren't doing enough to protect confidential data. According to the report, 35 percent of small business respondents "do not have a known or understood protocol in place for storing and disposing confidential data." 28 percent "never train staff on the procedures and protocols that are in place." And 46 percent "do not have anyone directly responsible for mitigating [data loss] risks." Such statistics indicate that it isn't just the Sonys, Lockheed Martins, and Bank of Americas that are vulnerable to criminals, "hacktivists," and other miscreants seeking to access and share confidential data. The little guy is in the crosshairs as well.

All of this, combined with the fact that hackers breached 174 million confidential corporate records in 2011 alone, points to the conclusion that data loss and theft isn't an if proposition in the business world; it's only a matter of when and how the breach will occur. As such, ensuring appropriate levels of security represents only half of the equation. Companies also need to be ready to deal with the equally damaging brand and reputational impacts of an all-but-inevitable data breach.

To that end, here is my take on the top four mistakes companies make when publically responding to data loss or theft. Avoiding these pitfalls not only helps restore the organization's credibility and trust in the wake of a breach; it can actually enhance them among stakeholders who remember the response far longer than the breach itself.

1. Failing to use peacetime wisely.

In May 2011, a Bank of America employee leaked confidential information about his and a number of other employees' customers. The breach resulted in $10 million in losses and underscored two key aspects of the data loss challenge: the urgency of the "insider threat" and the ways in which entire organizations can be held to account for one malefactor's criminal acts.

At the same time, however, BofA's response provides insight into the ways that companies can use peacetime to fortify their brands and reputations against a breach. Today, when you visit the Bank of America website, you don't even have to scroll down the homepage to find a section on "Your privacy and security" that details the bank's "security commitment" and provides links by which customers can take measures to protect themselves. Such prominent placement, on such valuable real estate, at a time when no recent breaches have occurred may seem like overkill; but it ensures that customers, media, investors, analysts and others will have easy and instant access to BofA's prophylactic messages if another breach comes around. The fact that these messages are actively supported by Search Engine Optimization (SEO) tactics (BofA's Data Privacy Message is the top organic result for a Google search on "Bank of America and Data Privacy" further increases their visibility and utility at the moment they will be needed most.

2. Failing to respond with the speed stakeholders expect.

In October 2011, TRICARE Management Activity, which manages healthcare for millions of U.S. Defense Department and military personnel, was the subject of harsh criticism when it waited two weeks before disclosing the fact that five million customer records had been compromised. The company stated that it "did not want to raise undue alarm in our beneficiaries;" not realizing the real alarm comes when customers realize that their confidential data has been floating around for days—or weeks—without their knowledge. Customers want to hear about a breach, and what's being done to correct it, from the company itself and as quickly as possible. Doing so not only breeds confidence that the company is on top of the situation; it empowers customers with the information they need to protect themselves.

3. Falling short of full transparency.

In March 2012, Global Payments publically disclosed that 1.5 million credit cards numbers stored in its North American network had been exposed. Given the attention that large payment processor breaches typically receive, one would think that the story would have been the stuff of front page headlines across the traditional and digital media. It wasn't—and the company has full and total transparency to thank. Not only was the company the first to confirm that the breach had occurred (as advised above), it also took full responsibility for the incident, provided as much information about it as the ongoing investigation would allow, answered every question the media posed as fully as it could, and apologized to those impacted.

When companies obfuscate in data loss situations, they provide the media reason to dig deeper and keep the story alive as long as possible. When they put all of the details out in the open, they essentially kill the story because there is simply nothing left to report. Just days after Global Payments made its announcement, threatpost blogger Dennis Fisher cited the company as an example of "How to Make a Data Breach Disappear."

4. Providing details before all the facts are known.

In May 2012, Sony learned that while speed and transparency are essential elements of an effective public response to data loss, they should never come at the expense of accuracy. When the company announced that its PlayStation network was hacked and 77 million personal records were exposed, it faced a hard road back into its customers' good graces. But, days later, when it had to announce that an additional 25 million records had been stolen from its Sony Online Entertainment network before the initial breach had been discovered, its problems were compounded. The revision conveyed the sense that Sony didn't know where the bottom was and that more shoes would be dropping before long. Companies confronting data loss need to be seen as in control of the situation—and when they are forced to go back on previous statements about the breach, they seem anything but. Because confusion erodes confidence and destroys trust, Sony would have been better off admitting that all the details were not yet known when it made its initial announcement. When it comes to protecting confidential data, it's always better to appear cautious and careful, as opposed to fast and loose.

Preparation, speed, transparency, and accuracy. When these elements are the foundation of a public response to data loss, companies find stakeholders to be patient and willing to offer the benefit of the doubt. When they are not, companies risk making a bad situation far worse in an environment where consumers can accept that these things happen, but expect companies to know how to react when they do.

Richard Levick, Esq., President and CEO of Levick Strategic Communications, represents countries and companies in the highest-stakes global communications matters—from the Wall Street crisis and the Gulf oil spill to Guantanamo Bay and the Catholic Church. Mr. Levick was honored for the past three years on NACD Directorship's list of "The 100 Most Influential People in the Boardroom," and has been named to multiple professional Halls of Fame for lifetime achievement. He is the co-author of three books, including The Communicators: Leadership in the Age of Crisis, and is a regular commentator on television, in print, and on the most widely read business blogs. Follow him on Twitter and circle him on Google+, where he comments daily on brands.

[Image: Flickr user Will Hastings]

Add New Comment

0 Comments