POSITION PAPER. A Full Recovery Approach to Data Breach Response

Transcription

1 POSITION PAPER A Full Recovery Approach to Data Breach Response

2 In data breach situations, organizations have typically responded with damage control : legally required notification of the individuals whose data was lost, plus public relations efforts to mitigate bad publicity over the breach. While damage control is an understandable response to a data breach emergency, studies indicate that the greatest risk of a data breach is not legal liability or short-term public perception. The greatest risk, and cost, comes when the breach victims have a bad experience, take their business elsewhere, and tell their friends and family why. Businesses can avoid this lost business and abnormal customer churn by adopting a proactive, full recovery breach response model that leaves the business and the breach victims whole. ID Experts Breach Services: A Full Recovery Approach to Data Breach Response 2

3 The Triple Threat of Data Breach Data breaches are a reality of life for US organizations. While Etiolated.org reports that the number of publicized breaches appeared to be leveling off in , the number of records lost per breach more than doubled from less than 150,000 in 2006 to more than 340,000 in In these situations, most companies respond to the obvious threats the legal and regulatory risks and the damage to their public image but most fail to deal with the costly and insidious threat of long-term business loss. While corporate data may be lost in a breach, it is more difficult to assess the financial and emotional risk to customers, employees, patients, and other individuals whose personal data has been compromised. These risks are serious enough that about 30% of U.S. corporations have a formal privacy department, and more than 25% have a Chief Privacy Officer, Chief Security Officer or Chief Information Security Officer. These guardians of privacy are well aware of their corporate duty in the event of a data breach. A majority of states have some form of legislation requiring notification of individuals affected by a privacy breach, and in certain industries customers are protected by national regulations such as the Red Flag Rules in the Fair Credit Reporting Act (FCRA), the Health Information Portability and Accountability Act (HIPAA), and the Gramm-Leach- Bliley Act (GLBA). Failure to comply with these notification requirements can leave an organization open to regulatory action and also to legal action from the affected individuals. Organizations also recognize the threat of a data breach to their public reputation, and they tend to invest in PR efforts to prevent or mitigate the effects of negative PR. Unfortunately, many organizations spend their breach response budgets on bare-bones notification and PR, unaware that the most devastating effect of a data breach is the long-term loss of business caused not by public perception, but by the very personal experiences of the people affected by the breach. True Costs of Data Breach Response According to a recent study by the Ponemon Institute, the costs of data breach response (as shown in Figure 1) are rising: average cost in 2007 was $197 per lost record, an 8% increase over 2006 and a 43% increase over Businesses are trying to save breach response costs through reductions in notification costs (mail vs. call center services) and credit monitoring services. However, Ponemon found that lost business, not response costs, now accounts for 65% of data breach costs, and that lost business costs are increasing at a rate of 30% each year. Figure 1: Data Breach Costs The study found that the first wave of lost business results from customers who are increasingly prone to terminate their business relationship due to lost data, producing consistently higher abnormal churn rates. After a breach, people are increasingly likely to take their business elsewhere; Ponemon found that almost ID Experts Breach Services: A Full Recovery Approach to Data Breach Response 3

4 60% of respondents had or were contemplating ending their business relationship with the breached organization. In the worst case, they may take legal action, as reflected by the rising costs of legal defense after data breaches. Over time, the cost of acquiring new customers also increases, due to bad PR from the breach and as the individuals affected by the breach share their experiences with others. A data breach can put an organization in legal and regulatory jeopardy, and it does cause unanticipated costs that affect short-term financial results. But the greater risk is that a data breach injures an organization s credibility and long-term business prospects, and it injures the people whose data has been lost. The Trust Factor Customer experience is the key to avoiding or containing long-term business loss from a data breach. Statistically, a minority of data breaches led to largescale identity theft, yet a 2005 study by Ponemon Institute found that more than 86% of those affected by a data breach are fearful of potential negative effect on themselves and their families, and over 58% felt it had diminished their trust in the organization reporting the breach. Breach victims cited a whole range of reasons for these negative perceptions: confusing and/or incomplete communication, delays in notification, and support or assistance that was not perceived as helpful. The bottom line is that in almost 60% of cases, the victims were left feeling vulnerable, unsupported, and/or damaged. While businesses are seeking to reduce the up-front costs of data breaches, it is clear that the most costly response is a response that does not meet the needs and expectations of the breach victims. To formulate a financially sound response to a data breach, businesses need to consider what it will take to maintain a positive relationship with the breach population. A Full-Recovery Model For their own financial health, organizations need to take a more proactive, outcome-oriented approach to data breach response, aiming for full recovery for themselves and those affected by the breach. In a full recovery model, the affected population is informed promptly, clearly, and in a manner appropriate to their needs; they are provided with protection against and recovery from ID theft; and at the end of the experience, they remain as loyal customers, employees, clients, or patients. Full recovery for the breached organization means that public credibility, business relationships, and business prospects are preserved, and the cost of breach response services is far outweighed by the goodwill it engenders and the income streams that it protects. Full recovery from data breaches depends on targeted, well-executed responses at each stage of the data breach lifecycle (as shown in Figure 2). Figure 2: The Data Breach Lifecycle BREACH ASSESSMENT: During this phase, businesses need to determine the nature of the breach, the level of exposure and the probable risks to the organization and to the breach population. The recovery plan should be aimed at meeting the unique needs of the breach population and at achieving the best return on breach recovery costs (more about this below). ID Experts Breach Services: A Full Recovery Approach to Data Breach Response 4

5 BREACH RESPONSE: Response activities center around notification of the breach population. Communications should be tailored to the needs and concerns of the breach population. For example, an elderly population may need accommodations for hearing or sight issues, or care-givers may need to be included in the communication. If the breach population includes people for whom English is a second language, notification letters may need to be translated, and call centers should have staff fluent in the needed languages. Call center staff should be fully prepared to handle notification, questions, concerns, and problem resolution. Face-to-face meetings may also be appropriate for breach victims at high-risk or with special needs. BREACH VICTIM PROTECTION: ID theft protection for the breach population can include a variety of services, including advice on how to use credit monitoring, enrollment-based protection packages that includes services such as credit monitoring and public database monitoring, and insurance to cover any financial losses and/or legal costs directly associated with the identity theft. ID THEFT RECOVERY: For an individual to recover from identity theft it can take months or years, hundreds of hours of their time, and untold stress. If the worst happens, and any members of the breach population do become victims of identity theft, recovery services should be available to restore their financial status. The victim should have only to fill out some basic paperwork and sign a very limited power of attorney. With these in hand, a qualified recovery services team can handle all the other paperwork and communications required to restore the victim s identity. Optimizing Return-on-Response Organizations tend to weigh their liability against the costs of responding to a breach. The costs considered generally include notification, PR efforts, administrative costs of changing account numbers, etc., and the costs of providing services such as credit monitoring for a year, but not the long-term costs of lost business. Breached organizations have tended to view credit monitoring as the "standard" protection to be provided in a breach situation. But Ponemon Institute research finds that consumers are not highly valuing credit monitoring as a complete corrective solution, as indicated by low and declining rates at which breach members opt-in to a credit monitoring offer. Since the greatest costs of breach come from consumer dissatisfaction with breach response, the best returnon-response is achieved by investing in high-value assessment and high-touch response services that properly inform and reassure breach victims, then choosing protection and recovery services that are appropriate to the actual risk and that are bulk-priced based on the size of the breach population. This kind of offering will also be more cost effective and more predictable for the breached organization. In contrast with credit monitoring alone, recovery services in conjunction with monitoring has an excellent return on response cost. Not unlike the case for insurance, in most breach situations the odds are relatively low that any given individual will have their identity stolen. But pre-paid recovery services can provide all breach victims with greater peace of mind, and the small minority who may fall victim to ID theft will be far less inclined to publicize their plight or litigate if they have the benefit of fully-managed recovery services. And expert recovery services can also protect the breached organization from spurious claims of identity theft, helping prevent litigation because of the elimination of damages, and providing comprehensive documentation and expert testimony, if litigation should occur. The breach response funnel (as shown in Figure 3) tracks the breach population (and associated costs) through the response lifecycle. In a poorly managed ID Experts Breach Services: A Full Recovery Approach to Data Breach Response 5

6 breach response, even though individual breach victims are notified and offered a number to call, they often end up dissatisfied with the quality of response and become distrustful of the organization. This causes response costs to increase due to inefficiencies of dealing with disgruntled and concerned individuals in the midsection of this funnel. This results in the use of more call center time and customer dissatisfaction leads to lost business and litigation. Summary Data breaches take their toll on a business, but the heaviest toll comes from a breach badly handled. Customer reactions may range from loss of trust to offense, outrage and even litigation. Data breaches in large, highly visible organizations often get media attention, and breach victims will talk to others about their experiences. The combination of word-of-mouth and public perception can greatly affect future business prospects. When responding to a breach, organizations need to think in terms of protecting current and future business and getting the best return-on-response. And since breach response presumably isn t (and shouldn t become) one of your core business competencies, consider hiring a full service breach services vendor who can help you achieve full recovery for both breach victims and your business. Figure 3: Best Return-on-Response Achieved when each Stage of Funnel is Optimized With a full recovery model, in contrast, a more personal and tailored response causes the breached individuals to maintain very high levels of customer satisfaction at every stage. As breach victims regain trust with the organization, they spend less time with call center staff, often enroll in fewer protection services, and are less likely to pursue litigation and/or take their business elsewhere. So an optimized full recovery approach to responding to a data breach will often be no more costly than a less complete approach in terms of out-of-pocket costs, and will also typically result in a better return-on-response because of the reduction in longer term costs of lost business and litigation. ID Experts Breach Services: A Full Recovery Approach to Data Breach Response 6

7 About ID Experts We have assembled a team of people who are passionate about helping people avoid (and if necessary, recover from) identity theft. The problem has reached epidemic proportions in the U.S. We take a uniquely personal approach to fight identity theft. Our experienced recovery advocates help our customers take all practical steps to safeguard their identities. And if a customer's identity is stolen, we personally work with them every step of the way to get them back where they belong. Our mission is to help people keep their identities personal. Contact Us ID Experts 8625 SW Cascade Avenue Beaverton, Oregon p: f: info@idexpertscorp.com 1. Source: 2. Source: Why your company needs a Chief Privacy Officer by Cara Garretson, Network World magazine, May Effective January 1, 2008, the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), require that financial institutions and creditors develop and deploy an Identity Theft Prevention Program for combating ID theft on new and existing accounts. However, a broad interpretation of these rules could eventually affect any business that has employees. 4. Ponemon Institute, LLC Annual Study: U.S. Cost of a Data Breach. November, Ibid. 6. The Ponemon study reports that legal defense accounted for 8% of breach response costs in Ponemon Institute, LLC. National Survey on Data Security Breach Notification. September, ID Experts. All rights reserved.