9 rules to follow after you've suffered a data breach

Data breaches have become so common that an etiquette has grown up around them. Any company that observes these nine rules has a good shot at coming through the fire intact

Page 2 of 2

Data breach rule No. 4: Communicate across channels

If you've been hacked, you have many audiences to address and many ways to reach them. Your organization needs a consistent and coherent message to convey, and it needs to communicate it across all available channels: email, blog posts, press releases, Twitter, Facebook and other social media. eBay found itself in a harsh spotlight after its recent breach for issuing a press release to the media about the incident, but failing to make any mention of it on the eBay.com website and taking days to issue email notifications to customers advising them to change their account password.

Data breach rule No. 5: Customers come first, Wall Street second

While your CEO and other executives may be keen to reassure Wall Street and investors, remember that your first duty is to your customers. Companies that seem overly concerned about the impact of an incident on their stock price risk alienating customers who want reassurance that their data is being protected and, in the event of fraud, that they will be made whole. Offering to pay for credit monitoring services for those affected by the breach is a good start, but it shouldn't be the end.

Data breach rule No. 6: Kiss Pollyanna good-bye

If your company has suffered a hack, the message you send to customers, the media, and investors should be sober and communicate abundant caution. Be frank when talking about what data was taken, what those who took it might intend to use if for, and how those affected should protect themselves from abuse. Pollyanna-ish reassurances about not having "any evidence that the stolen information was misused" are commonplace, but they reassure no one and imply a "see no evil" attitude. After all, not seeing someone driving around in your stolen car doesn't make it any less stolen!

Data breach rule No. 7: Don't spare the gory details

With data breaches, the devil is in the details. When did the breach occur? How long did it last? How many systems were affected and what kind of systems? What steps have been taken in response? Consider the post by secure password service LastPass back in May 2011. After discovering anomalous activity in log files for a "non-critical" machine, the company assumed the worst and posted a blog entry containing a blow-by-blow account of what happened. Subsequent updates provided a frank discussion of "tactical errors" the company made in its response and its outreach to customers.

Data breach rule No. 8: Look ahead, not behind

Data breaches and other security incidents prompt changes within your organization, as well as in your relationship with your customers. Don't be shy about telling your customers what steps you will take in the future to make sure another, similar incident doesn't happen again.

Data breach rule No. 9: Move some furniture

If nothing else, data breaches and security incidents prove that whatever security measures you were taking didn't work. With that in mind, don't be shy about moving furniture around (or dragging some out to the curb) and letting your customers know that you're doing it. Lastpass outlined a number of changes it was making after its security incident, from better instructions on logging on and off the service to the implementation of location-specific security features to the acquisition of additional server capacity.

This story, "9 rules to follow after you've suffered a data breach," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2