5 Tips for Handling Compromised Customer Data

Posted on by Christopher Burgess

PII_Credit_CardRarely does a week go by when you don't hear or read of a data breach and the accompanying loss of customer data or client personal identifying information (PII). Having a data breach plan in place that provides an honest, direct, and customer-centric solution will go a long way toward retaining the customers or clients affected. Though no one ever wants these things to happen, data breaches do occur, and you need to be prepared.

Unscheduled Events

What happens next is binary, as was recently evidenced by Target, who publicly revealed on December 19, 2013, that their network had been breached from November 27 to December 15, 2013, and thieves had compromised approximately 40 million of their customer's credit and debit cards. Their notification on December 19 is indicative of having a data breach plan in place, a plan specific to the loss of customer data. In Target's case it was customer data, which is protected in compliance with the Payment Card Industry's Data Security Standard (PCI DSS). Similarly, in the case of Horizon Blue Cross Blue Shield of New Jersey and their data breach of November 4, 2013, their statement of December 6, 2013, detailed how two laptops containing more than 800,000 patients' data were stolen from their offices. In the Horizon breach, the patient data contained both personal identifying information (PII) and protected health information (PHI), which would be protected in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification rules. These are just two examples which came to light in December 2013 because of an unexpected data breach. It is important to remember that when PII and PHI is lost, it is compromised for the life of the individual. When PCI type data is lost, it is compromised until the device or card can be replaced. Every entity which retains customer, patient, or associate data should have in place a tested data breach crisis plan. Here are five tips on how to be prepared for a data breach:

Preparation and Execution

1. Assume a breach will occur and plan for it. Be pleasantly surprised when it doesn't occur and secure in the knowledge that you are prepared should it ever occur. The plan should be created by the company's crisis management team—information technology, public relations, human resources/employee relations, production, and leadership must all be at the table. Internal steps should be identified, authorities granted, and each individual's role in the plan solidified when the plan is activated.

2. Exercise your plan with simulated events aka table top exercises. Ensure your team is speaking with one voice. Know who your local, state, and federal points of contact are with respect to law enforcement. If goods and services may be required to help the customer whose identity has been compromised to monitor for identity theft, invest in the relationship during the planning stages.

3. Prepare your public statements ahead of need. 

4. Upon breach notification: When the breach is identified put into play that which you have practiced:

  • Close the breach
  • Activate the crisis plan
  • Prepare holding statements

5. Once remediation is completed, but no less than 30 days from breach notification, begin the regulatory and public advisory process.

Proper remediation and mitigation of a threat that has been confirmed as having excised information from the company's infrastructure is paramount. Having a company plan in place on what comes next is mandatory. For the case of smaller businesses, it may be the difference between remaining a viable business or shuttering the doors. If you plan ahead, you won't be caught unprepared if a breach occurs and can move seamlessly into the recovery stage.

Christopher Burgess

, Prevendra Inc.

risk management data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community