Don’t Treat Privacy Breach Victims like a Spurned Lover

A new data breach research report is out, and it is a good read.  This is the annual Experian/Ponemon Institute “Is Your Company Ready for a Big Data Breach?” report.  I want to focus on one of the findings in that report; that most organizations are not willing to assist those affected by a breach of their personal information.

A majority of organizations surveyed don’t provide clear communication and notification to victims following an incident.

Well, that’s pretty disappointing. Why are organizations trying to avoid facing the folks whose information they ultimately did not protect well enough? It is not a good privacy breach response action. Far from it.

“Hell hath no fury like a woman scorned” 

It is increasingly become true that Hell also has no fury like a customer, employee, or patient whose personal information was breached while in the care of an organization.  And then if an organization adds insult to injury by refusing to talk with them, then the organization really is being a jerk.

Here are three good reasons organizations need to be well prepared to speak with individuals whose personal information was breached while under the care of the organization, or the organization’s contracted workers and vendors.

1. We are a litigious society

An organization that is unwilling to communicate with the individuals who have had their information breached will inflame an already upset group of folks who already feel violated. Why would any organization want to fan the flames of anger by ignoring the victims? These types of situations often end up with a lawsuit where the victims sue the organization.

2.    Legal requirements require you to communicate

Turning a blind eye to breach victims likely means the organization is also turning a blind eye to their legal obligations. There are regulations that require specific types of communications to breach victims. For example, consider the HITECH Act; it requires:

SEC. 13402. NOTIFICATION IN THE CASE OF BREACH.

:

:

(f) CONTENT OF NOTIFICATION.—Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following:

:

:

(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll- free telephone number, an e-mail address, Web site, or postal address.

An organization’s own posted Privacy Practices statement may also include a promise, or an inference, that procedures will exist to allow individuals to ask questions about their associated personal information, which would also apply in the event of breaches. Remember, these privacy notices are legally binding.

3.    It is good to care

If an organization shows that it cares for its customers, patients, employees, and all others whose personal information they are custodians for, then breach victims will be more likely to stick with the organizations and continue doing business with them, even when there was a disappointing event such as a breach. Like a boyfriend or girlfriend, ignoring the relationship when things get a little rough (and a breach is definitely a rough period in the relationship) will result in a breakup. The same concept is also found in business.

Bottom line for organizations of all sizes

All organizations that possess personal information of any kind (and can you think of any that don’t?) need to develop a documented, effective information security and privacy breach response plan. That plan needs to include a section documenting the procedures with details for how the organization will communicate with individuals whose information has been breached.

This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

IBM

 




tumblr visitor


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply