A sad fact of our time is that every company is at real risk for a criminal data breach. Nearly every aspect of our society has been hacked, including education, business and government. One report quoted by the Venable law firm in today’s DMA webinar on Retailer Readiness for Data Breaches found that 621 confirmed breaches occurred in 2012 alone and retailers represented 21.7% of network-based breach incidents.
This clearly illustrates the need for every company to take a proactive approach to consumer data protection and security, said Senny Boone, General Counsel for DMA and our lead on Compliance and Ethical standards. “This is not just for protection of business, but for protection of consumers and the fragile trust that we hold with every customer and prospect,” she said.
“The Marketer is at the epicenter of data breaches because of our closeness to the data and our commitment to advocate for the respectful treatment and care of consumers and data,” she said. “Thus marketers have the ability and opportunity to break down silos and be the lead on data security policies.” There is a checklist included in the newly updated 2014 Ethical Business Guidelines, and should you be in a situation where you are dealing with law enforcement, it’s important to have a published privacy and security policy as well as documented internal processes and meaningful employee training. This collaborative approach must include legal, privacy, IT, your colleagues in marketing (like email, social and digital) and even HR people. For example, the DMA Guidelines now include guidance on “BYD” or bring your own devices. “No longer just an HR issue, this impacts your employee training,” Senny said.
“Be a moving target, get your practices in line with the DMA Guidelines and other best practices, establish your training and legal notification strategy now, “ Senny advises. “Figure out the most appropriate law enforcement contact and make that part of your planning process, as well.”
“Keeping yourself a moving target is good advice in life as well as data breaches, “ agreed Stuart Ingis, Esq., Managing Partner at Venable LLC. “Nearly all (47) states have breach notification laws each with their own requirements. The rules will apply not just to the business location but to the location of the people affected or the data affected. Be sure that you have your requirements up to date.”
Stu advises that you plan ahead and identify a team before a breach occurs in order to lower costs of breach response and minimize impact and processing time. Your plan should facilitate a prompt and coordinated response in order to be rapid, thorough and reasoned in your response. You want to focus on notification –for internal teams and external parties like customers, partners, credit card companies, and even if not required, to regulatory agencies and law enforcement.
Stu advises that your plan should include:
- Ordinary remediation for security breach
- Identification/assemble a team that will deal with incidents
- Investigation strategies.
- Evaluation – assess whether a reportable breach has occurred
- Education – train employees to report incidents and train team re: plan implementation
Senny agreed. “Your goal in readiness preparation is to reduce and mitigate the negative impact and make sure you have proactive planning in place,” she said. “There is always a risk, but we want to provide you with guideposts to help you prepare and reduce the impact if it happens.”
When a data breach happens, a lot will be going on at once, in addition to your daily activities. Your data breach response timeline will need to be a multi-faceted approach because response includes many moving parts that all need to happen at once. These range from call center training to PR to law enforcement cooperation and research on relevant elements. You can’t start with nothing, you have to have a plan or a blueprint to figure out how to proceed, said Milo Cividanes, Esq., Partner, Venable LLP.
“The first 72 hours are critical. You need to quickly pull together your team, get the plan out, contact your insurance company and trigger coverage if appropriate, and also respond to the situation which could have other legal obligations, which can vary by state,” he said.
We advise everyone to assess NOW where you stand, and also stage a mock situation that will test your ability to react quickly and responsibly, Stu said. “Better to make that investment upfront and be ready if something happens,” he advised. The financial cost of a data breach in 2012 was estimated at $5.4 million, Venable estimates. That doesn’t necessarily count the costs to recover reputation and consumer good will, regulatory investigations even if there is not litigation.
Milo agrees, “There are only two kinds of companies today: Those who have been breached and those who don’t know that they’ve been breached.”
Notification is regulated, and so your business decisions about notification should start there, without going too broadly so that you create unnecessary fear, Stu advised. “The laws generally require notification if a name is combined with a PII identifier like email, social security number, credit card number, etc.
DMA has not seen a massive consumer hue and cry over data breaches, Senny said. DMA accepts tens of thousands of consumer complaints a year about marketing practices, most of which are around choices offered via our consumers services like DMAChoice.org (opt out for direct mail) and AboutAds.info (opt out for behavioral advertising). “We do see complaints about phishing attacks (especially those that promise a sweepstakes winning) and malware,” she said. “Consumers do have anxiety and unease about marketing promises due to these kinds of compromising situations, so every marketer must be transparent and visible in your practices around collection and use of data.”
Please take a look at the presentation deck from the event, and let DMA know of any questions or concerns you may have.