Top 6 Mistakes Companies Make in Data Breach Handling

Published: August 23, 2016 by Michael Bruemmer


A data breach can be a character-defining moment for any company. Whether you’re an international conglomerate or a small business, how you handle a data breach speaks volumes about the kind of company you are, how well you treat customers, and your long-term prognosis for business success or failure.

By mid-July 2016, 538 data breaches had exposed a known 12.9 million-plus records, and countless other records may have been compromised in incidents for which the scope of the breach was not yet known, according to data from the Identity Theft Resource Center. If breaches continue at that pace for the rest of the year, 2016 could well be on its way to surpassing 2015’s totals of 780 breaches that exposed approximately 177.8 million records. Research by Ponemon Institute tells us that the average cost for each compromised record is $217, the average loss in brand value can range from $184 million to $330 million, and it takes about a year to restore a breached company’s reputation.

Given those statistics, it’s critical for companies to masterfully handle data breach response at every stage, from pre-incident planning to post-incursion security management. Here are the six worst errors you can make in handling a data breach, and how you can avoid making them:

  1. Failing to be proactive. The time to begin handling data breaches is before one ever occurs. Every company should have a detailed, comprehensive data breach response plan in place. Your plan should include a designated response team (including decision-makers, external response services agencies, public relations, IT, cyber security, etc.), a communications plan, customer care plan, and data breach response letter templates. Not sure where to start? Experian’s Data Breach Response Guide is available for free download.
  2. Responding too slowly. Every day that a cyberattack goes undetected or detected, but unchecked, is another day of escalating damages to your business and customers. Continuous threat detection is essential, so that you can quickly identify an incident. Prevention and remediation technologies need to be continuously updated to ensure you’re able to halt the damage as soon as the breach is detected.
  3. Over-reacting. Doing or saying too much before you have all the facts can be just as damaging as doing nothing. Keep internal and external communications limited to strictly what you know and what others need to know. Never hypothesize. Likewise, you may be tempted to quite literally pull the plug on computer systems and networks to block the incursion, but that can bring business to a total standstill. Instead, focus on isolating affected systems and data from other at-risk portions of your network.
  4. Communicating poorly (barely or inaccurately) with affected consumers. Effective communication with affected consumers is not only the law, it’s vital for mitigating reputational damages. Again, keep communications factual, but don’t overlook the need for empathy. Provide affected customers with access to a help line that is staffed by customer service representatives trained in data breach response.
  5. Leaving affected customers on their own. Communicating with customers is critical, but not enough on its own. Studies have shown that consumers expect care and compensation from the company through which their data was exposed. In addition to a help line, consider offering free credit monitoring and/or identity-theft protection products to customers whose information has been exposed.
  6. Failing to learn from the incident. Every data breach response plan should include a post-mortem component. Don’t wait for the dust to settle to implement it. Begin analyzing what occurred right away, looking at how it happened and what you need to do to strengthen your defenses in order to prevent a breach from occurring in the same way in the future.

Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.