If a data breach occurs, your organization should be rightly concerned with timing. Contacting those affected by a breach is a first priority for many, but actually knowing when to do it can be complicated. It seems obvious that the notification should be fast, but making sure to have all the necessary information and support ready for victims can be difficult, especially for those who don't have proper policies in place.
According to multiple sources, the optimal time for notification falls between 30-45 days after the data breach is discovered. Viewpost CSO Chris Pierson established this time range, and said that this can also follow other rules that each organization should agree on.
Pierson said that the reporting should come after "facts are known" to reduce the chance for error and miscommunication, saying that "failing to allow for this time to report can cause greater harm and worry to customers as the facts will change from day 10 to day 30."
However, even with this simple plan ready, businesses will have to consider industry practices, expectations and the government policies that apply to them. The Federal Trade Commission acknowledges this in its own article saying that five factors, in particular, could dictate the way companies respond, which could include the time it takes them to send out a notification:
- State laws: As mentioned above, different laws apply throughout the country, so companies need to know what the prevailing rules say in the correct region.
- The type of breach: Breaches can take several different forms, ranging from a deliberate attack to a misplaced device or drive with crucial information on it. The way the breach played out could affect how severe it is for those affected.
- What data was taken: Not all data is equally sensitive, even though protection for all is crucial. What's more, certain kinds of thefts seem to be rising as priorities shift for criminals. The Identity Theft Resource Centerreported this year on the increase in exposed Social Security Numbers between 2016 and 2015 alone. The amount of exposure for this information grew from 43.7 to 52 percent, while credit and debit card exposures sank from 20.5 to 13.1 percent. Since an SSN can be used in several different ways, it might be a higher risk.
- The chances of criminal activity: Following on that, organizations may want to think of what a criminal might be able to do with the stolen information. How easy will it be for someone to steal a victim's identity or sell their detail somewhere on the digital black market? The likelihood that criminal activity might happen and the risk that comes from it could be the defining question for notification efforts.
- Possible damages:Finally, there's the big one, the financial cost that affected individuals have to deal with. This is the area that insurance and monitoring efforts can try to help with. Without a proper estimate, businesses can get an inaccurate view of how severe a breach really is. A report from the Government Accountability Office actually found that the Office of Management and Budget invested too much money in cybersecurity coverage. This shows that the issue doesn't just include private companies, but government agencies as well.
- Offers of identity theft protection: After an organizational breach has potentially compromised the security of their customers personal information, many organizations opt to offer identity theft protection and credit monitoring. If customers are offered a solution, like Identity Guard, to their increased risk of identity theft when informed about the breach, they may be more understanding about the breach and the company can help mitigate any damages to the customer loyalty and company reputation
As with all breach conditions, the specifics are what really dictates what's going on. Identity Guard Business Solutions is a useful resource for the organizations that are looking for a data breach and identity protection solution to help mitigate the damage of customer relations after a data breach.