Preparing for data breach response should involve practising with third parties, and repeating the processes.
Speaking at the ATM & Cybersecurity 2019 conference in London, Mark Whitehead, head of customer breach support at Deloitte said that “reputation is an ethereal thing” and hard to control.
He said that reputation is fundamentally based on two things: what you do; and what you say, also consider how you perform. “If you don’t do everything you can, you’re losing the ability to influence in the first place,” he said. “In terms of how you plan and how you prepare, your role and influence becomes incredibly important and brand and reputation means a lot more than you think it does.”
He recommended having in place the following steps, as “no matter how good you get it, you will never be famous for doing it well, but you will be infamous for doing it badly.” These were;
- Communications – How do you get out ahead of social media, and don’t develop messages on the fly
- Speed – This is of the essence, as if you don’t respond quickly, you will be behind the message and the press
- Capacity and Capability – You have capability designed and sized to support ‘business as usual’ so consider how manage that and support those customers who are affected
- Identity Protection and Repair – Your insurance will cover this, but only 10-20% of customers will take this opportunity up, so consider if it is an effective means of protecting customers?
- Professional Expertise – Whether it is a law firm, crisis communications or a claim team, it is important to have professional entities of people who have been through the process before
Whitehead said breach response preparation was a classic case of “make friends before you need them” in the event of a crisis. Pointing at the Information Commissioner’s Office, he said that it is clear in the guidance from the EU to the supervisory authorities' 11 criteria to assess organizations with after a data breach, and whether a fine is relevant, and what the size of the fine should be.
One point states that “any action taken by a controller to mitigate the damage suffered by data subjects” should be considered, and of the 11 criteria, “this is the only one to talk duty of care to data subjects.”
Whitehead said that, if you have exercised duty of care, you may or may not get a fine. “So worry about duty of care and your customers; not just because from a brand and reputation perspective, as if you don’t look after them they will go elsewhere,” he said. “But you should also worry about your duty of care as it is the tipping point for the supervisory authorities to decide on the size of the fine.”