It’s no longer an if your company will become the target of a data breach; it’s just a matter of when.
From small nonprofits to Fortune 500 tech-savvy organizations, data breaches and loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill prepared to manage the fallout. In addition to the confusing (and conflicting) regulatory landscape, breaches can be quite expensive, with the average cost equaling $5.5 million. And while innovative defenses against privacy and security threats are introduced with each passing year, cybercriminals outpace those innovations with new and more malicious tactics.
As online trust is on the decline, 2014 needs to be the year of Data & Privacy Stewardship. This requires moving from minimal compliance to enhancing the protection of your company, your data, and your customers. In order to do so, consider the following New Year “data resolutions”:
1. Make sure your data practices are up to snuff
2. Implement the leading best practices to protect your data and consumers
The definition of “privacy” and the composition of Personally Identifiable Information (PII) continue to evolve. Applying last year’s rule may no longer be applicable. And as the dependency on outsourcing data becomes more popular, companies are increasingly sharing data that is highly confidential. While these outside parties must use this data to provide relevant services, both the business and outside party could face significant financial and reputational harm due to a data loss incident.
However, upwards of 93 to 97% of all breaches could have been avoided if simple controls and security best practices were implemented. This is not only due to accidental physical loss, but also from an ever-increasing level of deceptive tactics. Based on the rising number of social engineering exploits and data snooping via unencrypted transmissions, make sure to implement best practices such as email authentication, SSL, password management, encryption and hardening of client devices.
Ultimately, it is no longer optional to have adequate controls in place when implementing data and infrastructure practices. The businesses that focus on privacy, security, and brand protection holistically are the ones best equipped to protect their brand from a significant incident.
3. Ensure your response plan passes the test by regulators and consumers
The “business shock” of a data breach will not only paralyze operations, but it will also damage relationships with regulators, partners, and consumers. Inaccurate reporting and inadequate security-privacy practices foster grave consequences. Without an incident response plan, the inevitable breach will harm a company’s brand, increase liability exposure and engender a negative impression on your company’s bottom line.
A Data Incident Plan (DIP) is a playbook describing the breach fundamentals you can deploy at a moment’s notice. A good DIP will integrate your company’s collection, retention, and deletion policies. Organizations must be able to determine the nature of an incident quickly, immediately contain it, ensure that forensics evidence is not accidentally ruined, and subsequently notify regulators.
The scope of an organization’s plan should include:
- data classification,
- validating employees’ access to that data,
- an inventory of system access and credentials,
- retaining forensic analysts and cyber insurance,
- and implementing data loss prevention technologies.
The organization should also have an impact assessment regarding the loss of reputation, compliance, intellectual property, and business continuity. Once developed, communicate the DIP to all relevant parties to ensure an effective 24/7 incident response capability. A well-documented project plan is only as good as the training and readiness of the incident team.
4. Register for the OTA’s 2014 Data Privacy Day program
Whether you are new to privacy and security or need to update your DIP, the regulatory landscape is rapidly changing. Be prepared by joining TrustArc at the Online Trust Alliance’s (OTA) Data Privacy Day Town Halls hosted in New York City, San Francisco and/or Seattle. Register by January 20th and save 20% (use the code TRUSTe20).
Now in its 4th year, these Town Hall programs are your opportunity to learn and network with leaders in data privacy, security, and breach readiness. Make privacy and protection part of your brand’s value while getting updated on the evolving regulatory landscape.
Attend the morning’s networking breakfast and series of engaging panel discussions. Connect 1-1 with the FTC, Secret Service, FBI, State AGs, and others, discussing the latest in security, privacy, and data protection best practices. Attend the afternoon Breach Readiness Planning workshop to learn the fundamentals of response plans. From forensics to customer communications and working with law enforcement, these are the key steps that all businesses need to take when dealing with a data loss incident.
Let’s make 2014 the year of Data & Privacy Stewardship. Wishing you a happy, healthy and secure new year – we’ll see you at OTA’s Data Privacy Town Hall!