It’s no secret that the frequency of data breaches is increasing and impacting companies of all sizes, from all industries, on both a national and global level. The first six months of 2019 set records reaching 4.1 billion compromised files, including banking information, credit card numbers, and Social Security numbers.1
According to a report issued by the Identity Theft Resource Center, in 2018 alone, more than 145 million records were compromised by employee negligence.2 In today’s unpredictable, but probable data breach risk environment, the perils of not having a substantial and vetted data breach response plan in place to quickly react to a data breach can be devastating in more ways than one.
Failing to respond appropriately can result in financial and reputational damage, including:
- Brand damage
- Customer migration
- Regulatory scrutiny, fines, and class-action lawsuits
- Executive termination
The 4 Main Reasons Data Breaches Fail
According to a study completed by IBM, companies are one-third more likely to experience a breach than they were five years ago.4 Recovering from a large-scale data breach depends on two fronts: the speed and quality of the response. With so much at stake and even more to manage, including following relevant laws, having a regularly tested data breach response plan is vital. That being said… if having a data breach response plan is so vital, why do so many fail? Here are four main reasons:
- NO BUDGET: Many companies and security teams don’t have a budget in place for a consumer response plan.
- NO TESTS: Even the best plans could fail if they are not put through the paces. To fully prepare to respond to a data breach successfully, companies should undergo drills and live event simulations to confirm that their plan has no gaps and to ensure that everyone involved is aligned.
- NO FLEXIBILITY: Response plans need to be flexible enough to accommodate both small and mega data breaches that impact various customer populations. Too often, companies only prepare for a specified affected population.
- NO SENSE OF IMPACT: Many companies believe their chances of being impacted by a data breach are slim. The reality and inevitability of a data breach occurring is something companies and security executives should prioritize as we begin a new decade.
Data Breach Response Plan Must Have’s: Speed and Quality
The Case for Speed
News of a data breach travels at the speed of light and go viral almost instantly it seems, leading consumers to expect a quick, “no excuses” response. To get ahead of the breach response and mitigate risk, companies need to react in hours, not weeks, as most Americans expect notifications within 72 hours of a data breach.5 Aside from responding fast, being prepared with a quality website, phone system, and notification technology is essential. This infrastructure should be rapidly available and ready to deliver at scale. Company decision-makers should be aware of the amount of support they would need to service a data breach affecting 10% of their customer population, while also being ready to service a breach that affects 90% of their customer population. These two scenarios are extremely different, which is why companies need to plan ahead for the worst-case scenario.
The Case for Quality
When it comes to data breach response plans, quality is key. If a company responds quickly but ruins their response with sloppy messaging and a poor online portal, consumers will deem the total response effort as a failure. To achieve quality, affected consumers must be able to reach a customer service agent quickly and gain access to any websites that will resolve their compromised data and protect them going forward. With more than 66 percent of consumers reporting that they’d stop doing business with a company if they botched their data breach response, companies must get their response right.6
How Do You Ensure and Test for Readiness?
Now knowing why most data breach responses fail, how do you recognize the signs of readiness within your organization?
Ask yourself the following questions:
- Leadership Involvement: Is your C-Suite engaged and regularly discussing your plan?
- Success Metrics Defined: Does your company have confidence the response will be delivered rapidly and with high quality? What about for a data breach affecting 10% of the customer population? What about a mega breach?
- Plan is Tested: Has your team pressure-tested the response plan? Have you gone through the live-drills necessary to ensure your agents have the correct messaging? Is your online portal working with the large influx of site-traffic? Is everyone involved aligned on the message you will communicate to the public?
- Resources are Ready: Do you have dedicated resources on-deck to quickly notify the public and the appropriate call center capabilities to accommodate the consumer demand?
Guarantee Success with Experian® Reserved Response
Answering the above questions may seem daunting, this is where Experian comes in. Experian’s Reserved Response program is the industry’s first and only program that guarantees (with SLAs) the manpower, infrastructure, and response readiness to companies during these stressful times. From walking you and your team through live event drills, to guaranteeing that you have the appropriate amount of dedicated call center agents and support ready in as little as two business days- the Reserved Response program is key to mitigating the risks that come with a data breach.
Visit www.experianpatrnersolutions.com/reserved-response to learn more and connect with a Reserved Response Expert today.
1 2019 MidYear QuickView Data Breach Report
2 2018 Annual Data Breach Year-End Review, ITRC
3 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute
4 2018 Thales Retail Report; 2. Cost of a Data Breach 2019 Study-IBM
5 Experian 2019 Data Breach Consumer Survey
6 Experian 2019 Data Breach Consumer Survey