Prepare for a Data Breach: We’re All at Risk Now
There are two kinds of companies today: those that have already had a data breach and those who don't know their data has been breached. It's a sad fact of our time that nearly every aspect of our society has been hacked, including education, business and government. The Venable law firm reports that 621 confirmed data breaches occurred in 2012 alone, and retailers represented 21.7 percent of network-based data breach incidents. Is your company ready? What will it cost for it to be ready? Can data breaches be prevented? These were just some of the key questions covered in a recent Direct Marketing Association (DMA) webinar on retailer readiness for data breaches.
Q1. What can retailers
and other companies
do to be prepared?
Every company can take a proactive approach to consumer data protection and security, starting with the checklist that's in our newly released 2014 Ethical Business Requirements for the industry, said Senny Boone, general counsel for DMA and the association's lead on compliance and ethical standards. Should you be in a situation where you're dealing with law enforcement, it's important to have a published privacy and security policy as well as documented internal processes and meaningful employee training. This isn't just for protection of your business, but for protection of consumers and the fragile trust that you hold with every customer and prospect.
Q2. Is the marketing
department responsible for data breach
readiness and data
protection?
Marketers are at the epicenter of data breaches because of their closeness to the data and their commitment to advocate for the respectful treatment and care of consumers and data, Boone said. Thus marketers have the ability and opportunity to break down silos and be the lead on data security policies with other functions like legal, privacy, IT, colleagues in marketing (e.g., email, social and digital) and even HR people. For example, the DMA Guidelines now include guidance on "BYOD" or bring your own device. No longer just an HR issue, this impacts your employee training too.
Q3. How ready is "ready"?
Is this a document you create and keep for
a crisis?
Keeping yourself a moving target is good advice in life as well as data security, said Stuart Ingis, Esq., managing partner at Venable LLC. Readiness is about preparedness, but also keeping up with practices, processes and technologies. It requires listening to customers and adapting the readiness program to include new channels. Ingis advises that you plan ahead and identify a team before a breach occurs in order to lower costs of data breach response as well as minimize impact and processing time. Your plan should facilitate a prompt and coordinated response in order to be rapid, thorough and reasoned. You want to focus on notification for both internal teams and external parties (e.g., customers, partners, credit card companies, and, even if not required, regulatory agencies and law enforcement).
Q4. What if a data breach does happen?
When a data breach happens, a lot will be going on at once — in addition to your daily activities. Your data breach response timeline will need to be a multifaceted approach because response includes many moving parts that all need to happen at once. These range from call-center training to PR to law enforcement cooperation to research on relevant elements. You can't start with nothing, you have to have a plan or blueprint to figure out how to proceed, said Milo Cividanes, Esq., partner, Venable LLP.
The first 72 hours post-breach are critical to your business. You need to quickly pull together your team, get the plan out and contact your insurance company to trigger coverage if appropriate. You also need to respond to the situation, which could have other legal obligations and can vary by state.
Breach notification is regulated. Nearly all (47) states have breach notification laws, each with their own requirements. The rules will apply not just to the business location, but to the location of the people and/or data affected. Be sure that you have your requirements up to date. The laws generally require notification if a name is combined with personally identifiable information such as an email address, social security number, credit card number, etc.
We advise everyone to assess now where they stand in regards to data security, and also to stage a mock situation that will test their ability to react quickly and responsibly, Ingis said. It's better to make that investment up front and be ready if something happens.
Q5. How much does a data breach cost?
The financial cost of a data breach in 2012 was estimated at $5.4 million, Venable reported. Furthermore, that doesn't necessarily include the costs to recover brand reputation and consumer good will, as well as regulatory investigations even if there's not litigation.
Q6. Are consumers
worried?
The DMA hasn't yet seen a massive consumer hue and cry over data breaches, Boone said. The association accepts tens of thousands of consumer complaints per year about marketing practices, most of which are around choices offered via our consumer services like DMAChoice.org (opt out for direct mail) and AboutAds.info (opt out for behavioral advertising).
Consumers do have anxiety and unease about marketing promises due to the recent compromising situations, so every marketer must be transparent and visible in practices around the collection and use of data.
Stephanie Miller is the senior vice president of member communications and engagement at the Direct Marketing Association (DMA), the world's largest trade association dedicated to advancing and protecting responsible data-driven marketing. Stephanie can be reached at smiller@the-dma.org.
