Six Mistakes Companies Make in Data Breach Handling

October 11, 2016

If data breaches continue at their current pace, 2016 will exceed the 780 reported breaches that exposed approximately 178 million records. The cost for each compromised record is $217, the Ponemon Institute reports. The average loss in brand value can range from $184 million to $330 million, and it takes about a year to restore a breached company’s reputation.

Whether a small, one-county shop or a national operation, how a company handles a data breach highlights the type of business you run, how well you treat customers and the long-term forecast for success for failure.

According to Experian, here are the six worst errors a company can make in handling a data breach and tips on how to avoid them:

  1. Failing to be proactive. The time to begin handling data breaches is before one ever occurs. Every company should have a detailed, comprehensive data breach response plan in place. Your plan should include a designated response team (including decision-makers, external response services agencies, public relations, IT, cyber security, etc.), a communications plan, customer care plan and data breach response letter templates. Not sure where to start? Experian’s Data Breach Response Guide is available for free download.

  2. Responding too slowly. Every day that a cyberattack goes undetected or detected, but unchecked, is another day of escalating damages to your business and customers. Continuous threat detection is essential, so that you can quickly identify an incident. Prevention and remediation technologies need to be continuously updated to ensure you’re able to halt the damage as soon as the breach is detected, according to Experian.

  3. Over-reacting. Doing or saying too much before you have all the facts can be just as damaging as doing nothing. Keep internal and external communications limited to strictly what you know and what others need to know. Never hypothesize. Likewise, you may be tempted to quite literally pull the plug on computer systems and networks to block the incursion, but that can bring business to a total standstill. Experian recommends focusing on isolating affected systems and data from other at-risk portions of your network.

  4. Communicating poorly (barely or inaccurately) with affected consumers. Effective communication with affected consumers is not only the law, it’s vital for mitigating reputational damages. Again, keep communications factual, but don’t overlook the need for empathy. Experian says to provide affected customers with access to a 24/7 help line that is staffed by customer service representatives trained in data breach response.

  5. Leaving affected customers on their own. Communicating with customers is critical, but not enough on its own. Studies have shown that consumers expect care and compensation from the company through which their data was exposed. In addition to a help line, Experian advises to consider offering free credit monitoring and/or identity-theft protection products to customers whose information has been exposed.

  6. Failing to learn from the incident. Every data breach response plan should include a post-mortem component. Don’t wait for the dust to settle to implement it. Begin analyzing what occurred right away, looking at how it happened and what you need to do to strengthen your defenses in order to prevent a breach from occurring in the same way in the future, Experian suggests.


Contact ALTA at 202-296-3671 or communications@alta.org.