Blogpost

Bend, But Don’t Break: How to Minimize the Effects of a Privacy Breach

By Elena Ames, Deluxe Corporation
Reposted with Permission. Originally posted on Deluxe Blogs.

Last week, my colleague Brad Reimer posted a great privacy blog on his recent attendance at the 2015 Privacy. Security. Risk. (P.S.R.) IAPP conference. Protecting sensitive information has been a key topic this year for many organizations across the globe. A few months ago, I had the great opportunity to visit Toronto, Canada, and network with other privacy professionals at the IAPP Canada Privacy Symposium. We sat together for three days, sharing knowledge and creating strategies. One universal topic we discussed concerned all of the breaches occurring around us. They affect us all. They can impact one person or tens of millions. Data breaches exploit known or unknown vulnerabilities in systems, including humans that run or access them. Breaches are generally the result of a series of events and many have a technological component. And, often, they could have been prevented!

WHAT CAN A COMPANY DO TO PREVENT A BREACH?

Companies should learn from each other, from other privacy breaches. They should consider if there were internal or external threats, or missing, incomplete or un-followed policies or procedures. There are many excellent reports available on frequently seen vulnerabilities from Verizon, Microsoft, Symantec, and many others, including government reports on audits.

The Office of the Privacy Commissioner of Canada gives advice on how companies can safeguard their data at the enterprise level:

  • Have a governance structure in place: CPO, DSO, CISO, CIO, and BCP working together with the support of all executives to achieve the organization’s objectives.
  • Ensure that all employees understand roles and responsibilities and that this can be achieved through training.
  • Have a compliance program with policies and procedures.
  • Use risk assessment to address any organizational changes, implementation of new services and products, or changes into the systems.
    • KNOW THE DATA AND EXACTLY WHAT IT IS TRYING TO PROTECT

  • What data do you have?
  • Is it sensitive?
  • Where is it located?
  • How is it being protected?
  • Where are the customers? (this will impact the law you need to follow)
  • Do you even need the data?
  • Do you still need the data after thinking through all these questions? If so, then limit retention and destroy what is not needed.
    • EVERY COMPANY SHOULD PLAN TO MINIMIZE THE IMPACT OF PRIVACY BREACHES

      • Have access to a trained multi-disciplinary response team with clear roles and responsibilities.
      • Make sure outsourced providers have the same level of understanding of what a breach is and what the appropriate response is.
      • Review all security policies.
      • If a breach does happen, a company’s goal should be to minimize the impacts on affected individuals and re-establish the trust. My colleagues and I agree that the more transparent a company is about what it is doing, the faster it will gain back the trust of its customers and reputation.