Best Practices for Managing Organizational Data Breach Privacy
At conferences, networking events, trade shows, or even just at social gatherings, the topic may have come up that put you in a position where someone was telling you about a data breach or other cyber incident their business incurred. While the conversation may have been genuine and not meant to diminish their employer’s reputation, there’s no doubt that you end up viewing that organization much differently — and not for the best.
This comes down to keeping unnecessary information from the general public — commonly called privacy. So often, you see regulatory requirements, guidelines, and online resources like articles or checklists about how to properly manage and disclose incidents involving customer data and their privacy. And yes, those actions are vital for liability and regulatory purposes.
But have you ever thought about protecting your own organization’s privacy in the event of a breach? There’s no doubt that a breach will have plenty of implications on your business already. But believe it or not, there are right and wrong ways to manage your organization’s privacy securely and when disclosing this type of information to the public.
Best Practices for Organizational Data Breach Privacy
A data breach is already harmful to a business and its customers. Data could be lost, systems shut down, and a considerable expense may be necessary to get everything back and running. This doesn’t even take into account long-term reputational harm that could occur as a result or its adverse impacts on procuring cyber insurance, during a company audit, or while an organization is under investigation.
These are sensitive situations that need to be handled with care to uphold your brand reputation and financial success — all coming down to organizational privacy management. With all that said, here are some best privacy practices to follow for your organization before and after a data breach takes place:
Protect Yourself with Legal Agreements
As a way to be proactive, there are a few routes you can take through legally binding agreements and contracts. First, have any of your employees, contractors, vendors, or partners sign a non-disclosure agreement (NDA). It can act as a stand-alone contract or an item within your service or employment agreements. The agreement establishes that all parties agree not to share sensitive company information with others.
Another thing to be aware of is some of the miscellaneous terms found in your service agreement with anyone who might be of assistance to you during a cyber incident. This could include your cybersecurity consultant, managed-service provider (MSP), managed-security service provider (MSSP), virtual CISO, or security software vendor.
Some agreements may have language permitting them to reference your company in marketing materials or on their website. This could be problematic if, for instance, one of them wanted to write a case study about a cyber incident your business fell victim to, resulting in you using one of their products or services. You want to ensure there is a mutual understanding that sensitive information will NOT be used in that way.
Never Divulge Unnecessary Information to Unnecessary Recipients
There will be times when a state statute or federal regulation requires you to disclose a breach to your customers, as seen with examples like HIPAA and PCI. Notifying customers and clients of details on how the breach occurred, who was compromised, what they can do to help themselves, and what you are doing to mitigate the issue would qualify as NECESSARY information to NECESSARY recipients.
However, that does not mean that you should just freely divulge this information to random people at business events or your friends in social situations — it’s entirely inappropriate. There is no reason to put your organization at risk of the reputational harm that commonly comes with a data breach — especially when it’s in a social environment and not legally required. You never know how widespread the information can go and you want to maintain control.
Avoiding the “unnecessaries” also means circumventing full-scale disclosures unless required by law or until your leadership is prepared. Many moving parts are involved in the customer notification process for these situations. You want to ensure you have all the necessary details, service arrangements, and communication channels lined up before making a move — if you end up doing it at all.
Keep Inside Data Breach Conversations Formal and Secure
There should be some formalities in the conversations when discussing your next steps of a data breach for things like remediation, recovery, and stakeholder notification. For instance, to keep information relatively contained, you should only have a small group of people involved in the communication process and only add new contributors as they’re needed.
Furthermore, you’ll likely want to have an attorney included and your in-house or contracted CISO (or equivalent position). None of these discussions should ever occur through a regular email system as you risk compromising your firm’s privacy — mainly if you’re being investigated or are having your IT security systems audited for insurance purposes.
All meetings should be done in a private room, by phone call, or through a secure video conference system, and they certainly should never happen in a large room with many people. Even conversations that you think are private could be easily overheard without you knowing and leaked out to others.
Practice Privacy From the Top-Down
These best practices need to be coupled with top-down management to ensure employees are following them as well. This can start with strict company policies and procedures on security-related issues like how sensitive information can be sent through email, the rules about discussing internal incidents with outside parties, and the employee’s respective role in breach recovery.
A lot of this comes down to your organization’s culture of taking cybersecurity and privacy seriously. Suppose you aren’t frequently providing awareness training, rediscussing security procedures, implementing new security tools, or conducting phishing penetration testing targeting your employees. In that case, it will be tough for them to take these matters seriously since it appears to lack top-down enforcement.
Manage Your Organization’s Privacy with Ascension Global Technology
Containing sensitive information about a security breach your business fell victim to has a lot of complex legal and privacy components. Contact us today to speak to an expert and learn about how you can manage organizational privacy and enhance your cybersecurity program to prevent incidents in the first place. Also be sure to check out our blog for news and insights on the world of cybersecurity.