Over the next several weeks, LEVICK Daily will share selected interviews from our recent NACD Directorship article entitled “What’s Next? The Top Issues of 2013 and Beyond.” Today, we feature a discussion on data loss and theft with Ted Kobus, National Co-Leader of the Privacy, Security and Social Media Team at BakerHostetler.
Mr. Kobus focuses his practice in the areas of privacy, data breaches, social media, and intellectual property, and advises clients, trade groups, and organizations regarding data security and privacy risk management.
At the conclusion of the interview, you can find LEVICK’s own communications best practices appended.
What are the most common mistakes companies make in data loss situations?
Ted Kobus: Too many companies fail to understand that data security events are not your typical legal problem. While complying with legal requirements is critical, companies cannot forget the impact these events have on employees, customers, the public, and regulators. Appropriately protecting the people affected by the incident will protect the brand and the company’s most valued relationships.
Second, too many companies see data security as an IT issue rather than a C-Suite and board issue. Customers and regulators expect that the C-Suite will be involved in not only responding to these events, but helping to prevent them through education, a culture of compliance, and adherence to strict policies and procedures. The companies that are most successful in preventing data loss are those that condition the corporate culture by setting the right “tone at the top.”
And third, companies fail to understand that messaging is more important than the speed of notification. There are several laws that require notification within a certain time frame. At the same time, people who are impacted by a data security event expect that notification will take place immediately. Unfortunately, notification typically cannot, and should not, be made just to get the notice out the door. If a company isn’t ready to provide answers as to what happened, how it happened, what’s being done to protect impacted parties, and what’s being done to prevent future breaches, then it isn’t ready to notify its stakeholders.
How can boards best serve a company embroiled in a data loss situation?
Ted Kobus: The most important thing to remember is that each incident presents a different set of circumstances. As such, the board has to rely on the company’s incident response team, which hopefully knows the facts better than anyone. Directors should start to worry if they sense panic or disorganization. Some questions to ask of the team include:
Is there any insurance to help offset the costs of the breach response? If not, how much is it going to cost the organization to respond?
Is this event so large that our employees will be concerned? If so, what resources will be made available to answer their questions?
Is a media release being issued? If so, is the timing of the call center establishment, website posting, notification letter mailing, and notice to any regulators all coordinated?
Is the notification letter easy to read? Does it clearly explain what happened and what the organization is doing to help protect the affected parties?
Have you considered where all of the affected people reside and have you complied with all state and local laws?
What’s next on the data loss landscape?
Ted Kobus: Notification laws will continue to evolve. Perhaps we will even see a federal breach notification law. However, the trend we see most is that the regulators, and particularly the attorneys general, increasingly want to know when these events occur and how organizations are responding.
Moreover, regulators are asking for information beyond what policies and procedures and education programs are in place. They are seeking information about whether the company has recognized its risks – and the evolution of those risks – through appropriate updating of policies, procedures, and data security technology.
BEST COMMUNICATIONS PRACTICES:
Boards must understand that stakeholders want answers in data breach situations. If the company isn’t prepared to answer all of the questions, then it isn’t ready to disclose the breach publically.
Data loss is a topic that thrives in the tech-savvy digital media. That means boards must ensure that any response strategy must emphasize bloggers and social media to truly control the narrative.
Boards need to understand that state and federal notification laws are subject to constant change. Just because the company was ready to communicate about yesterday’s breach doesn’t mean it is prepared to do so tomorrow.
This post is excerpted from Richard Levick’s recent NACD Directorship feature “What’s Next? The Top Issues of 2013 and Beyond.” To read the full article and learn more about the most significant issues impacting boardrooms today, click here.