Data hacking

The horse has bolted. What do you do now?

Troy Hunt– the Australian web security expert – may have an unlikely moniker worthy of ‘Mission Impossible’, but there is nothing false or fictional about his recent blog. He has just uncovered a data stash containing 770m stolen email address– a revelation that has sent a shock wave throughout the world.

Hunt believes that this global theft is “made up of many different individual data breaches from literally thousands of different sources”.But this does nothing to reduce the scale or the seriousness of the crime. It is graphic proof – if ever we needed it – of our  vulnerability. Data breaches now appear to be as inevitable for large organisations as claims are for insurance companies.

This reality does not mean we should throw in the towel. Preventing online invasion and data hacking must always be our top priority. But it does beg the question: what should you do after a data hack is discovered? How should you respond to such a serious breach of customer trust? And how can you minimise the cost and disruption to your business?

Lessons from the claims industry

There is a lesson here to be drawn from the Insurance industry. After many years of refusing to acknowledge claims in the hope of avoiding or deferring payment, insurance companies realise that reconciliation and rapid resolution can unlock huge competitive advantages. Companies that handle claims sympathetically and swiftly – by not making a drama out of a crisis – are very likely to win the loyalty of old customers and the admiration of new ones.

The new breed of tech-based insurers has been quick to embrace this truth… and to set the bar very high. Lemonade boasts that it can handle and settle claims in just 3 seconds! And turning a perceived negative into a trust-enhancing positive has applications far beyond insurance…

GDPR has changed the landscape and increased the consequences

It’s time that companies coping with serious data breaches had the same ‘Damascus’ moment. What’s more, there’s now an additional, very intense pressure to transform…

GDPR has turned the data issue into headline news. The recent record £44m fine levied against Google by the French data protection watchdog CNIL is evidence of this new hard line. The prospect of hefty financial penalties matched by the trust-shredding publicity is certainly focusing corporate minds. Enlightened organisations are now tooling up to differentiate themselves when the seemingly inevitable data breach happens.

In the past, suppression and even denial would have been the reflex reaction. Today, the risk of regulatory fines is forcing a new transparency. Here’s how savvy senior managers are cleaning up their act…

What can you do?

There are some immediate steps that you can take to minimise potential damage:

• The first priority is to identify the breach quickly. This can be challenging given that 65% to 75% of historical breaches originate in the data supply chain, far beyond a company’s immediate sphere of influence. One way to address this is through the tactical use of techniques such as watermarking. Also, active monitoring of data suppliers is critical.
• Once a breach has been identified, you urgently need to establish the data subjects that have been potentially impacted. Speed is vital because GDPR legislation allows just 72 hours for companies to respond…
• If the breach is considered serious enough to impact all of your customers, you could be liable to compensate everyone for any inconvenience (changing passwords, cancelling credit cards etc.). To avoid this costly outcome, you will need a detailed understanding of personal data flows and interrelationships. This can be achieved by implementing an appropriate (dynamic and sustainable) data mapping capability. But this would be over and above the simple static record required by Article 30 of GDPR.
• However, there is one big snag: Cyber and Privacy teams appear to speak a different language. There is often no shared set of terms or goals – this is an unfortunate by-product of the speed at which technology and cybersecurity have developed. For this reason, it is essential that you manage the ongoing impact – implementing a system that proactively and dynamically creates a synergy.
• Your engagement with the data subjects needs to be interactive and personal – but, most importantly of all, it must demonstrate urgency and honesty. Standard email responses – such as ‘your data is important to us and we are doing everything possible’ – are simply not good enough. People demand clear explanations; not bland excuses.

How to transform the handling of a data hack to build trust

Instead of hiding behind the corporate stockade, companies are learning that it’s often better to come out and confront issues. Here are a few starter suggestions…

Invite anyone worried about possible breaches to log on to a portal where they can see exactly what personal data may have been hacked and what decisive steps the company is taking to protect them. Such steps could include alerting a customer’s bank or credit card company and even providing free access to credit-watch services. By offering genuine assistance that exceeds expectation, companies will steal a march on most rivals who are still cowering behind the stockade.

Despite the best efforts of companies, hackers will still be working to break through barriers. They will continue to steal email logins (a topic covered in my earlier article). The bottom-line reality is that no-one and no organisation is safe. As Jake Moore, a cybersecurity expert at ESET UK said in a recent article: “If you’re one of those people who think it won’t happen to you, then it probably already has!”

But for hacked companies there is a reprieve. A chance of redemption. Honesty, transparency and swift support will not just re-build trust, they will also restore reputations and build profits. Adversity really can breed competitive advantage.