We humans have an ingrained “It won’t happen to me” attitude, as well as a head-in-the-sand reaction to things we don’t – or don’t want to – fully understand. It’s part of our nature.
However, there are millions of cyber-incidents every day in the U.S. – yes, millions per day! And any one of them could happen to you. Hackers stole personal information from 110 million accounts in 2014. And it’s not just focused on large government agencies or mega-corporations. Human/employee error was responsible for 96% of successful data breaches – either responding to phishing emails or the free iPad offers, or just sending out sensitive data to the wrong email addresses. And 25% of data breaches are from paper files.
As you can see, no one is exempt.
The costs can be significant – they include:
- Business downtime, distraction and the cost of ruined hardware and software
- Reputational damage impacting customer trust and continued shopping
- Fines and penalties by the FTC and the Department of Health and Human Services (HHS).
An Idaho hospice was fined $50,000 for the loss of less than 500 patient records by HHS’s Office for Civil Rights. They had no policies or procedures for mobile device security (laptops) that contained HIPPA records.
So businesses must consider a data breach as almost inevitable: it will happen to you!
You need a Response Plan
There are five basic steps to create a simple, practical plan
- Prevention is always the risk manager’s first step – let’s do everything reasonable to prevent a data breach from happening. This means cyber and data security and employee training.
- Recognition of when a breach has been attempted or already occurred is missed by many small and mid-sized organizations.
- Notification must be handled quickly to avoid fines, and accurately to minimize costs. You need immediate access to a specialist privacy attorney and competent forensic computer analysis people.
- Protection for customers, clients and employees is key to avoiding lawsuits and making victims feel cared for.
- Communication must be ongoing after any major incident to close the loop and restore confidence with customers, regulators and employees.
Future RiskSmart Tips will dig deeper into these five steps with more detailed help.
Cost – Benefit
Your Plan doesn’t have to be elaborate, but having these steps mapped out is a proven best practice. There are myriad examples of companies – large and small – who dropped the ball and got themselves in significant financial difficulty.
- You must respond quickly – to all your audiences: employees, clients, regulators.
- In a potentially chaotic situation a planned response is one that works.
- A response plan makes you look organized and professional – not up the proverbial creek without a paddle.
Call or email with questions or for no obligation help getting started.