Part one of this two-part series on the evolving area of privacy compliance, which ran in the Oct. 22 edition of eM+C Weekly, discussed how awareness of — and action taken with regard to — constantly changing privacy regulations is critical to maintaining the trust your customers place in your business.
The next step, ensuring your company is prepared should a privacy data breach occur, is discussed here in the final part of the series. You can read part one here.
According to the Identity Theft Resource Center, reports of data breaches increased 47 percent in 2008, with a total of 656 reported breaches versus 446 in 2007.
Despite this trend, many companies that deal with sensitive consumer data don’t have plans in place to communicate with customers quickly in the event of breaches. This can result in tremendous costs to your organization. Furthermore, how you react to breaches will determine whether your response triggers regulatory review or attention from one or more state attorneys general.
The following are five ways to prepare your business:
1. Customize your approach. Your organization’s data breach plan and related documentation must be customized to reflect your specific operations and data files. If your company must comply with the Health Insurance Portability and Accountability Act, for example, you have specific reporting requirements that you must integrate into your data breach response plan.
2. Assemble a team. While a good plan isn’t difficult to create, it does require discussion and coordination among a range of groups within your organization — including IT, marketing, legal, risk management and finance. Part of your core team also should include outside experts such as legal, insurance and direct marketing providers.
3. Prepare a written incident response plan. The best way to assure a proper response is to plan ahead for one. While this is considered a best practice for most companies, it’s also increasingly becoming a legislatively mandated requirement. Assign members of your team specific responsibilities reflecting their roles in meeting company- and industry-specific requirements, federal and state law requirements, and other insurance- and risk transfer-related strategies.
Document this information in a “data breach response planning workbook” that also includes forms and templates for responding to a breach in a timely and thorough manner, helpful website links for information, sample time lines, and key contact information for all members of the response team.
4. Engage in response training. To ensure a proper response to a data breach, consider a training program that includes a mock breach. A data breach communications professional can lead your team through such an exercise, recommending enhancements that’ll make a difference if a breach occurs.
5. Conduct an annual review. Since there may be staff changes in your organization during the course of a year, conduct an annual review of the response plan to ensure new members of your team are trained. Provide personnel with a refresher on responsibilities and roles. This ensures that your company mounts an effective, efficient response to a potential breach. Have your data breach specialist review your data breach response planning workbook annually to make sure your organization’s plan reflects the latest laws and regulations governing data breach responses.
There’s no “one-size-fits-all” solution to becoming and remaining compliant with privacy laws. But compliance on its own isn’t enough. Once management is aware of the risks and potential costs associated with your privacy practices, it’s easier to make a case for putting a strong preparedness plan in place and continually refreshing it. If you handle consumer data, the single most important thing to do is be prepared in the event of a breach.
Kendall C. Walsh is the director, strategic product development, of the Compliance & Critical Communications Unit at Direct Group, a Pennington, N.J.-based integrated direct marketing services provider. Reach Kendall at firstname.lastname@example.org.