Saturday, January 28th was the 16th annual Data Protection Day. I know – how did that slip your mind? But while you may not have remembered the day, the chances are you are increasingly conscious of the need to protect your data and that which your business manages for others.
Last week, the latest GDPR and Data Breach Survey from law firm DLA Piper showed that while the average number of notified data breaches per day fell slightly from 328 to 300 notifications per day, European data regulators issued a record €2.92 billion in fines last year, up 168% from 2021.
These are headline-grabbing numbers, but the reality is that reputational impact is a far greater consideration than the threat of a fine. A 2019 survey found 81% of consumers would stop engaging with a brand online after a data breach. Trust is hard earned, but appears to be easily lost.
So, what can a business do to protect its reputation if it hasn’t been able to protect its customers’ or employees’ data?
The first is to have a plan in place. Any organization, even those with robust security measures, should adopt a “when, not if” mindset when it comes to cyberattacks, including identifying a cyber-incident response team and establishing a scenario-based response strategy. Typically, this would include identification and escalation; response to system shut-out/shut-down; incident confirmation; data exfiltration analysis; data leak and formal notification of data subjects.
Once you have this plan, put it to the test. Don’t just leave it to gather dust in a drawer or on a server you can’t access in a crisis (yes, we’ve seen that many times). Simulate what will happen in a Situation Room exercise, and carefully assess roles and responsibilities, and the need for any additional coordination.
At each stage, there are opportunities to protect your reputation. Much of this comes from what you do, of course, but a lot is also about what you say, and what you don’t. In a cybersecurity incident, there are unknown unknowns and known unknowns; thankfully, the latter tend to outweigh the former.
You’ll know there’s something wrong, but should be careful about the use of the word “cyber” until you’re sure that your IT issues are caused by a third party and not human error; this is important not only to prevent unnecessary concern, but also from a regulatory perspective. You’ll be able to tell people you’ve shut off systems in a precautionary manner, but not be able to say which are affected until a forensic team has investigated. You might identify ransomware is the cause, but not know if the hackers (or “threat actors,” as we call them) have taken (exfiltrated) any data. And even if data is taken – or even published – you’ll have to take time to carefully analyze what is in scope and if it falls under GDPR before notifying.
The challenge is: how do you communicate effectively? The first principle is to ensure alignment with legal. Incorrect terminology can create compliance issues; for example, it shouldn’t be referred to as a breach unless there is confirmation data has been taken. But this is about accuracy, not opaqueness; you should be telling your stakeholders what you can determine, and addressing what matters to them.
This should be less about the technical details and more about the impact on how people do their jobs, access products and services, or protect their personal data. If there are workarounds in place, let clients know. If there is an investigation underway, inform stakeholders and be realistic on timescales – they’re often longer than people expect. Update on restoration of services and don’t just keep the authorities in the loop, but also communicate that you are, as this will validate that you are responding correctly.
In doing so, your organization can free up resources to handle the unknown unknowns, maintain the trust of your stakeholders, and protect your reputation, even when data is under threat.