ARE YOU EXPERIENCING A BREACH? Contact Emerge for help at 859-746-1030.
To learn more about security that can help prevent a breach from happening, learn more at: https://www.emergeits.com/simplify-security
If there's one thing worse than system crashes and the loss of info, it's data breaches. The threat to privacy and confidential or sensitive documents impacts the internal dynamics and public trust in your company. Your staff is on the front lines. Their own personal information could be affected, plus they could find themselves getting questions from customers. Think ahead about how to inform your staff of a data breach, should one occur. Consider how to handle the ensuing internal and public fall-out and how to prevent future occurrences.
Notify Staff As Soon as Possible
The first thing to do the moment you discover a data breach is to notify the authorities. Then let them know that you are notifying the staff, so that they're aware of what everyone may or may not know.
The second thing to do is to notify your staff. You want them to hear it from you first. Choose the most efficient communication channel not affected by the breach. The might mean gathering everyone to tell them in person. However you tell them, keep in mind any staff members who may be out in the field, travelling, or home sick. Make sure you find ways to reach everyone.
Tell them as much as you know--no more, no less. Let them know about any immediate steps they can take to minimize damage. Employees also need to recall what personal information of they stored on devices or within documents, so that they can take steps to protect it.
Moving forward, inform employees each time you learn something new. Update them frequently. Also, clearly let them know what information has been made public. Tell them when you plan to contact customers and the media to ensure that employees don’t say anything too soon.
If Employee Data Was Affected by the Breach
Your company holds a wealth of personal information about its employees. Your staff will be rightfully concerned about their own data. Again, tell them exactly what you know and update them as you learn more. Reassure them that you will take necessary steps to protect their privacy and identities, just as you would with customers. Remember, your team members are valuable company assets. Treat their concerns with respect.
If an Employee is Behind the Breach
The Society for Human Resource Management shares a sobering fact. “Most of those breaches won't be committed by nefarious, unknown forces. The damage will instead come from employees.”
They go on to say, however, that most employees compromise information inadvertently. So you can choose to give someone the benefit of the doubt--a challenge during a crisis situation. Do not make any accusations, internally or publicly, without confirmation and the backing of your legal department.
Familiarize Your Staff with Security Breach Notification Laws for Customers
As difficult and uncomfortable as it is, it's necessary to be open and honest. Customers need to know what to do, and what you are doing in the moment and for the future.
Prepare your staff for this situation before it happens. Have your public relations and/or your legal team spend some time with outward facing staff. Include customer service reps, salespeople, administrative personnel, and anyone else who interacts directly with customers. Remember, every member of your staff represents your company to the public--but focus on these key roles first.
Most states have security breach notification laws, as described here by the National Conference of State Legislatures. These dictate the proper protocols for notifying customers that their information may have been compromised. If your company handles personal health records, review their compliance guidelines for notifying patients under the HIPAA Breach Notification Rule or the Health Breach Notification Rule.
Appoint someone to address all questions from the media, and prepare those statements as soon as possible. Should your typical spokesperson, say your VP of Public Relations, be travelling or unavailable, know who is next in succession. Advise employees to direct any questions they cannot or should not answer to your public relations department.
Develop and publicize a FAQ that lists all contact information for credit agencies, and resources for customers worried about identity theft. Don't sugarcoat what happened. On your website, prominently display notice of the breach, and reiterate it through emails and physical letters to customers. Also emphasize how they can get in touch with your company, as well as who will respond, how, and when.
Train staff on a data breach response policy, and periodically host practice sessions to confirm that everyone knows the protocols. Ideally, you will never have to deal with zero-day threats, or other serious leaks and infringements. It's better though, to know how to inform your staff of a data breach, and how to proceed throughout, in case the unthinkable happens.
IMAGE: Pixabay