How Should Your Organization Respond to Data Breach?

The Pew Research Center recently reported results from a January 2014 survey; 18 percent of individuals had personal information stolen such as social security numbers, bank account information, and credit cards from online accounts and 21 percent had an email or social network account hacked. Trusted retail giants such as Target and Niemen Marcus have fallen victim to malware that can access customer credit and debit card data.

IT News reports that data breaches numbered 25,566 in 2013, more than double the number recorded in 2009 of 10,481. Data breaches occur as a result of hacker theft from an individual or group, terrorist activity, or from the loss of electronic devices. Targets for data breach can be any online source such as individuals, companies, public institutions, financial institutions, governments, and retailers.

The Government Accountability Office recently issued recommendations for government IT groups in the event of a data breach; however, the recommendations can also be applied to firms and other organizations.

  • Organizations should commit a dedicated team to data breach response. This team should include the chief information officer, the lead communications officer, management, and the manager of the affected unit.
  • Employees should be trained in rapid and appropriate response to data breach. Regular training should be provided concerning privacy and security issues, and staff who are not trained should not be given access to information and information systems. Staff should undergo periodic refresher training.
  • Any breaches should be assessed, documented, and reported to the necessary internal and external units. Procedures for such reporting should be in writing and readily accessible to all concerned staff. Once the risk has been identified, depending on the threat level and possible consequences, management should determine whether notification to affected groups or individuals is required and the appropriate method for doing so.

Assistance should be offered and provided to effected parties. Consider a compensation strategy to mitigate any negative consumer opinion that may affect company reputation. Companies should incorporate a “lessons learned” policy following any breaches and make any changes necessary to avoid future risk. A&A Search can help you find qualified and experienced IT staff to meet your security and data needs. Contact one of our experienced Boston recruiters for more information.