Online hacking, lost or stolen laptops, and improper disposal are just some of the ways that personal information that a company collects from customers and employees can get into the wrong hands and be used to commit identity theft. There are a variety of laws that dictate how companies must respond to a data breach, and the latest Ponemon Institute U.S. Cost of a Data Breach report shows that costs relating to data breaches continue to rise.
While a company’s practices will vary depending on the type of information that is collected and the nature and scope of a breach, below are some steps companies can take before a breach occurs and after they experience a breach to help facilitate a timely response and mitigate the impact:
Before a Breach Occurs:
- Take stock of the information that you collect, store, and share.
- Assess the security measures in place and identify risks.
- Create company awareness.
- Review service providers’ policies, practices, and contracts.
- Understand the applicable laws.
- Adopt a written data breach response plan.
- Determine available remedies in the event of a breach.
- Identify law enforcement and agency contacts.
After a Breach Occurs:
- Act promptly!
- Investigate the nature and scope of the breach.
- Identify the type of information accessed or acquired.
- Determine which laws are triggered.
- Assess who must or should be notified, when, and how.
- Decide what remedies will be offered.
- Document responsive actions taken.
- Anticipate regulatory investigations and/or litigation after a major breach.
Given the variety of ways that personal information is collected, stored, used, and shared, the prevalence of data breaches, and an increase in agency enforcement and litigation relating to companies’ privacy and data security practices, it is critical to have a plan in place before a breach occurs, then conduct a thorough investigation and promptly respond if and when you experience a breach.