Your Firm Will Get Hacked — How Do You Respond?
September 9, 2016
By Bill Richmond, Vice President
A Duke University/CFO Magazine poll found more than 80% of businesses have been hacked. It’s not a matter of whether your firm will have its data compromised — it’s more a question of when it will happen and how extensive the breach will be.
Even with the best and most organized IT teams, hackers will eventually exploit a weakness. The good news is, companies are no longer judged based on the breach of data, but rather on how they respond, and that’s something that’s within your control.
We’ve helped clients across a range of industries work through this issue, including financial institutions and health care companies, where particularly sensitive information can be at risk. With the right crisis communications plan and a prepared staff, it’s possible to survive a data breach with your reputation — and client base – intact.
That’s not to say the process will be easy — the risks following a data breach can’t be underestimated, and your clients are watching your response closely. If you don’t act quickly and thoroughly, you may not get a second chance. The range of impact runs the gamut from clients recognizing a hack is a reality in today’s interconnected world and being re-assured by your company’s timely and effective response — to a major scandal with negative publicity, lawsuits and a downward spiral of your firm’s reputation.
The communications response is as critical as the technological response.
Advance Preparation: Assemble a privacy breach team, identifying key individuals in your organization and what each person role and responsibility will be. This includes the CEO, senior managers and legal and communications folks. Once the team is identified, develop a written plan for responding to various scenarios. The time to prepare is before the storm.
Timely notification: Clients and vendors should be notified within 24 – 36 hours of learning of a breach. More than likely, you’ll need to notify regulatory agencies; include after-hours contact information, and any timely notification requirements in your written crisis communications plan. Any delay in notice only worsens the problem. Even if you don’t have a full scope of the issue – make clear that you know there has been a hack and are working to identify the scope.
Be careful about talking definitively about the scope: Don’t say a hack impacted “x” number of customer files unless you are certain that is the full scope. You’ll only add a credibility and competency issue on top of the problem if you have to go back and revise upward the extent of the hack.
Set up a dedicated phone line. When you notify customers, provide them with a toll-free number to specifically answer questions about the hack. Don’t rely on a general office number or customer service line. Customers want someone to pick up the phone and provide answers to their questions. They don’t want to have to “press 9” after listening to options about hours of service, account status, etc.
Offer identity theft protection services. Depending on your business and the type of breach, consider offering customers six months or a year of free identity theft protection from a third-party service. While many may not take advantage of the offer, it is an opportunity to show you recognize the seriousness of the issue, and is a good investment in protecting your customers, bolstering your firm’s reputation, and ultimately, retaining your customer base.
Explain what happened. Tell your customers how the breach occurred (was it a technical deficiency, a phishing attack that exploited a weakness among employees, a third-party vendor problem, etc.) and what steps you’re taking to shore up the system.
Provide regular updates. When there is breach of customers’ personal information, notifying them once may not be sufficient. If the breach is extensive, consider setting up a microsite online to provide updates on status and next steps. At a minimum, provide customers with a follow-up letter or email when the response is fully implemented, reassuring them of the steps taken to limit the potential for such risks in the future.
Don’t overpromise. While there may be a desire — once any security holes have been patched — to assure clients their data is safe, remember hackers are always finding new ways to access data. Don’t fall into a trap of making promises that are beyond your ability to keep. Rather, tell clients what you are doing to reduce the risk of any further breaches. In today’s interconnected world, there’s a high likelihood your company will be the victim of a hack. By communicating quickly and clearly, you can mitigate the impact that a hack will have on your business. If you’re ready to plan for the inevitable, and control the narrative when you’re data is attacked, we’re ready to help. Call us at 518-792-3856 ext. 127, or email firstname.lastname@example.org