Part 2: Mitigation
In spite of the most rigorous security measures, the best efforts and best intentions of you and your marketing research partner, a data breach can still happen. It can be a scary prospect, especially if the amount of data is large or if the sensitivity of the data is critical. The major thing to remember is that, if you do experience a data breach, a rapid, diligent response is needed to mitigate the potential damage both to your organization and to the people whose data was exposed.
4 Steps in Data Breach Mitigation:
- Your first step is to immediately, upon awareness of the breach, notify the key people involved. That means notifying your client, your vendor, your IT security, and any other key stakeholders. And, because breaches are often discovered outside of normal business hours, you need to be prepared to drop everything and deal with the issue, even if it requires late Friday night or early Saturday morning conference calls. You need to take any data breach seriously, even if you think that the data is not highly sensitive or if the size of the breach is small.
- Your second step is to mitigate any damage. Remove all data from Internet access or from access to unauthorized users as soon as possible. Then, you may also need to contact Google and other search engines to make sure that links to these data are removed from their cache files.
- Third, determine the level of sensitivity of the data. If it is non-sensitive PII, you may only be required legally to offer an apology to the people whose data were breached. But even non-sensitive PII breaches may be critically important to your clients if the people affected are their customers. If the data are sensitive PII, such as social security numbers or health information, there are legal requirements, which vary by state, which will determine the response that you need to make. And, unfortunately, these responses can be expensive, requiring formal notifications, paying for credit monitoring services for those affected, and potentially, fines and penalties.
- Finally, you need to determine how the breach occurred and fix the vulnerability that let it happen. Review all of your data security policies and procedures. Check on the compliance of your employees and, if necessary, remove employees who fail to comply with policies and procedures.
How your company and your marketing research vendors handle the data breach with the individuals impacted will depend on the nature and sensitivity of the information breached, the volume of the data breached, your industry, state and federal laws, and the age of the data breached. But once that is handled, the most important lesson is to identify the cause for the breach and make sure it never happens again.
Read Part 1: Data Breach! Welcome to Your Worst Nightmare