Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Customer Response Plan

Consumers do not react kindly to reports of data breaches. Your organization may lose more than its goodwill if you fail to adequately respond to a data breach that has exposed consumer information to potential identity thieves. It may be susceptible to lawsuits. Although you will never completely eliminate the risk of a lawsuit following a data breach, you should prepare a Consumer Response Plan to deal with inquiries, concerns and complaints from consumers, and perhaps lessen that litigation risk.

Your Consumer Response Plan is not the same thing as your Notification Plan. The Notification Plan should be designed to inform affected individuals of the breach. The Consumer Response Plan, however, should be designed to handle consumer inquiries regarding the incident after the notifications have been sent. While many of the parts of your Consumer Response Plan will mimic your Customer Retention Plan, there are a few additional issues to consider.

You should decide how you want to interact with the consumers. Will you provide telephone representatives to field calls? Will you provide information through an Internet site? Will you require outside consultants to assist in handling consumer issues? These questions should be answered as you determine the appropriate vehicles with which you will communicate with the public.

Your representatives should be adequately prepared on the talking points surrounding the data breach incident. Consumers will want the most current and accurate information regarding the breach and the status of their information. You must work closely with various parts of your organization (data security, information technology, etc .) to organize the details and distill the story of your breach incident.

In addition, be prepared to explain why you are collecting and storing consumer data, the services that you provide with this data, and the legal landscape that permits you to operate your business model. Consumers may be surprised, and perhaps angry, to learn that organizations collect and disseminate their personal information. You may have to explain this aspect of your business.

Dealing with angry consumers is a part of any data breach scenario. Proper planning is essential to calm a potentially angry public.