September 26, 2008, 12:21 PM — What if you found out a company laptop containing important business and customer information suddenly went missing and your company fell victim to a security breach?
According to David Senf, director of security and infrastructure software research at Toronto-based IDC Canada, six in 10 Canadian firms have reported a security breach within the last 12 months. Senf said this number is actually higher, since some firms did not report accurately and some were not even aware that a breach had occurred.
While personal information is sometimes sought out for financial gain, Charles Morgan, a partner in the technology law section at McCarthy TÃ©trault, a Canadian law firm with offices across Canada, said data is often leaked out and compromised as a result of simple employee and/or company mistakes.
"Most privacy breaches result from internal mismanagement rather than from a hacker," Morgan said. "It's often caused by an employee that's not doing it maliciously, but mistakenly. For instance, an employee happens to leave the company laptop in a cafÃ© or in the back seat of a car."
Carmi Levy, senior vice-president of strategic consulting for AR Communications, a London, Ont.-based strategic communications firm, says regardless of how a breach happens in the first place, a breach is a breach.
"If businesses aren't doing anything in their power to manage and protect corporate and customer data, they're just as guilty as if someone came in and stole it," he adds.
The consequences resulting from a security breach can be anything from reputational damage to a company, to losing customers, to a class action lawsuit, which could easily cost a business millions of dollars in damages, depending on the breach severity, Morgan explains.
So what immediate steps of action should business management take after they learn their company's been breached? Morgan outlines a list of six key steps that any business can follow after a breach to help restore workplace order. They include putting together a team to investigate the security breach, conducting a thorough investigation, determining if any legal responsibilities apply, developing and executing a notification strategy, reviewing all policies and procedures, and lastly, creating a communications plan.
Once a breach has occurred, Morgan said the organization must put together a team to investigate what has happened. Members of the team can include a privacy officer from the company, members from security, IT, communications and legal departments. What's important to consider, Morgan says, is that you have employees from various parts of the business represented in the team.
"You want to make sure all kinds of positions and the right people are in the team because there are so many aspects of a security breach that must be managed," Morgan said.
As Levy suggests, "Everyone has a role to play because true security isn't one person or entity's responsibility and accountability. It's really everyone's."
Once determining the team, Morgan says a thorough investigation must be conducted to establish what the chain of custody was for the data leading up to the breach. This will help to mitigate any further risk or damage that may ensue, he adds. It's also important to investigate if the lost information has been inappropriately used or disposed of.
"When investigating, ask questions like, 'When did the data breach occur? How was it discovered? How many people are potentially affected by the breach? What's the nature of the information that was breached? Were they phone numbers, credit card numbers?, and so on,'" advises Morgan.
Third on the list is for an organization to determine what its legal responsibilities are and to see if these responsibilities apply to any particular jurisdiction as per geographic region, Morgan said.
After verifying the severity of the breach, Morgan said organizations then need to develop and implement a notification strategy. Levy says with the recent shift towards conducting business and transactions online, our physical connections with companies have accordingly lessened over time.
"Often the only real connection we have with companies is the trust relationship with online tools," Levy said. "If that's compromised in some way, businesses may risk losing the trust of their customers. In the event of a breach, it's best to regain that customer trust as soon as possible. To do that, companies have to be proactive and upfront and not hide anything."
Notification can be sent out to customers via letters, e-mails, telephone calls, or a general press release, Morgan said. In most cases, he says it's in a business's best interest to be transparent about its privacy practices.
Once a notification plan has been executed, Morgan says companies need to review and evaluate all of its existing policies and procedures. Proper policies need to be put in place to help ensure a security breach does not happen again with the company.
The last step of the action plan, Morgan says, is to develop a communications plan with the company, its employees and its customers.
"Companies have to be careful with how they present information," Morgan said. "They need to make sure that everything that's being stated is being acted upon. The communication strategy involves deciding when and what to say and to whom."
To help mitigate the risk of experiencing a security breach, Morgan says companies should think about whether or not they actually need to collect and keep all of the personal information that they have.
"Companies should only keep and collect the personal information that they need," Morgan said. "Encryption solutions should also be considered especially when dealing with a large database of personal information. Make sure only the people that have a need to know responsibility have access to that information. Companies can even enforce restricted access to data files with password protection in addition to encryption."
Senf says in general, more businesses need to do more upfront and advanced planning to help lesson the risk of a security breach. Companies need to provide their IT departments with the necessary tools, support, money and time in order to help reduce the level of security risks, he said.