Merchants 5 Step Guide
To PCI Compliance
|
ISO / Acquirers 5 Step Guide
To PCI Compliance
|
|
Step 4: Create a pre-breach containment and communication plan
Determine what steps your organization will take in how to contain and control the damage left in the wake of a data breach.
One of the most important components of any pre-breach plan is a communications/public relation's response.
Assess what information is already available and what are the best ways to gather and disseminate that information. Organizations should prepare themselves for different types of data breaches including credit card numbers or account numbers.
The number one issue an organization should be concerned with, when it comes to a communication plan is how it is going to respond to different audiences after the breach.
The different audiences and communication strategies to consider include:
- Internal audience-Management, employees and any other member of the organization who has customer contact.
- External audience-Consumers and any other outside party that is affected by the data breach.
- Third party audience-Any and all third-party vendors involved with consumer contact, including help centers, call centers, websites, ATMs and other bank branches.
When drafting a pre-data breach security plan, here are some communications strategies to consider:
- Internal communication strategy-Create an information tree, establishing designated members from upper management, IT department or public relations to receive the information about the data breach, and to disseminate the details of the data breach via email to the appropriate organization team members.
- External communication strategy-Draft consumer breach notification letter templates for all types and levels of the organization's consumers, including special groups. Conduct an immediate meeting with the heads of all of the management teams and discuss what solutions should be offered to the targeted victims of the data breach. Choose a spokesperson to represent the organization to the media, after a data breach, as well as contacting law enforcement and any other local or state authorities that are needed.
- Third party communication strategy-Create specific call center scripts for use by the support staff, when a data breach occurs. Create a plan to handle the increased call center traffic, if a data breach occurs.
- State and Federal communication strategy-Make sure that your organization follows all applicable state data breach laws and any federal laws concerning data breaches, if applicable. If an organization conducts transactions with consumers in another state, the organization must know the data breach laws of that state as well.
Quality and timing of the communication response
Timing is everything, especially when responding to a data breach.
According to an older Ponemon Institute report from 2005, along with a quick response, it's the quality of the response that seems to matter to consumers and the quality of the response ultimately helps the organization maintain creditability.
"It seems that what determines an organization's ability to protect its reputation and maintain the trust of its customers and employees in the aftermath of a breach is the quality of the notification," according to Ponemon, concerning the report's findings.
Only 1,109 of the 9,154 individuals interviewed said that they had been notified of the data breach.
A letter and/or a phone call are the most frequent modes of communicating a data breach, but, according to this study, many consumers mistake a form letter for junk mail, an email for Spam and a phone call for telemarketer.
With the GE Capital/J.C. Penney breach, it took GE Money over two months to reconstruct the data tape and to notify the affected customers.
According to an article written by Associated Press Reporter David Koenig, GE Money has been working since December 2007 to notify customers in batches of several thousand. GE Money set up a phone call center to deal with breach and has been directing the affected consumers to call the center.
One J.C. Penney credit card holder-Elizabeth Rich or Everett, Washington-received a letter from GE Money, but she almost threw it away because it looked like a piece of junk mail. Though she was told her Social Security number was not on the tape, she was told that her address and account number 'might' have been compromised.
Ms. Rich assumed the letter was a credit card solicitation, when she saw the GE Money return address. Since she used a J.C. Penney credit card, not a GE Money card, she almost threw the letter away.
"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said in the article. "Not everybody opens junk mail."
 Print this page
 Send this page to a friend
|
|
