The costs of a data breach add up quickly. The average total cost of a data breach in 2015 was $3.8 million, according to the Ponemon Institute’s report “2015 Cost of Data Breach Study: Global Analysis.” This staggering figure includes the direct expenses incurred because of a breach, such as hiring forensic experts and providing free credit-monitoring subscriptions for victims. It also includes indirect expenses, such as lost business opportunities and the damage to a company’s reputation after the news of a breach spreads.
Given these high costs, it would not be surprising if some businesses attempted to hide the fact that their systems had been breached. However, failing to disclose a data breach is illegal in many areas.
Is Non-Disclosure Illegal in Your Area?
By law, organizations must report data breaches in 47 U.S. states, Puerto Rico, the Virgin Islands, and the District of Columbia. As of September 2015, only Alabama, New Mexico, and South Dakota did not have similar laws on the books. Companies in those three states might soon have to report breaches, though. President Obama has called for a national standard on the issue. Plus, several U.S. Congress members are working on federal regulations that relate to data breach notifications.
The United States is not alone in requiring companies to report breaches. South Africa has a data breach notification law in place. The United Kingdom, Canada, Australia, and New Zealand are developing similar laws. These four countries already have extensive guidelines on the subject.
Even if you are not required to provide data breach notifications, it is a good practice to do so. Being up-front about a data breach can help lessen some of the negative feelings that your customers and the general public might have about your company.
How to Handle Data Breach Notifications
The best way to handle data breach notifications is to develop a policy governing their use. Key stakeholders and members of your legal team and IT staff need to develop this important policy. You might want to bring in an outside expert to help develop it.
Your data breach notification policy should specify:
- Who is responsible for creating data breach notifications
- Who should receive them: List the groups and authorities to notify. Besides customers, you need to notify government authorities if required by law. You might also need to notify a regulatory group if your business falls under industry regulations. Plus, it is a good idea to let the general public know before they learn of it through other sources.
- When to send the notifications: Include a general timeline for when to notify the groups and authorities. For example, you might want to notify your customers before informing the general public.
- What information to include: Make sure that your policy mentions any content that must be included to meet region- or industry-specific regulations.
Another item to address in your policy is the tone of the notifications sent to customers. A notification in which the company takes responsibility and apologizes for the data breach will be better received than one that skirts the issue. Similarly, notifications should be empathetic and use language that the average person can understand. Including a tone guideline in the policy will ensure that your data breach notifications address what the customers need to know in a thoughtful manner.