Friday, April 13, 2007

You've been breached!

My last post described the typical requirements of the various breach notification acts that your business is likely subject to, and some of the steps you should take to avoid a breach. But what if you've already had a breach? Perhaps you're reading this today and tomorrow you'll get a call from your IT director with some bad news. What are you going to do?

Your first reaction is probably to call your lawyer. And I certainly can't argue against that. However, I do want to caution you - legal council is important in these situations - but if they are allowed to drive your response to the breach, it will almost certainly be at the cost of customer relationships.

Your lawyers will be able to advise you on your responsibilities and liabilities. But they will likely advise you in ways meant to protect your company from any possible legal ramifications. They probably won't try to view the breach from your customers' eyes, with consideration for how you can best save those relationships.

If my company suffered a breach, my first call would be to the team at Identity Safeguards. Identity Safeguards was founded by John Davidson & Rick Kam. John experienced ID theft first hand some years ago. It was such a terrible experience that he decided to build a company that would be dedicated to helping individuals recover from such situations.

The company has evolved over the years and now spends most of their time helping companies and institutions deal with data breaches. They help your management team establish a comprehensive plan for assessing the breach, alerting your customers and helping the impacted individuals protect themselves. Their work is conducted from your customers' point of view - and as a result, they help you to tell your clients about the breach without losing their confidence in you. If you have had a breach, I strongly recommend that you contact them immediately.

Once you have a trusted advisor on your side who can help you address the breach without losing your customers, the rest of your work is relatively elementary. You'll need to take active steps to make sure that such a breach can't happen again. You'll need to be sure your responses are in compliance with all applicable legislation (this is really where your legal team can be helpful) and you'll need to engage the authorities to see if they can identify and prosecute the criminals (don't get your hopes up - less than 10% of these types of cases are ever prosecuted).

But saving those client relationships is absolutely job #1. And for that, hiring an expert like Identity Safeguards is worth every penny.


No comments: