Customer Letter To C-Suite! How Would You Respond?

The Problem?

2014 can be characterized as the year of the breach. Major brands were hit, massive amounts of data was compromised, reputations tarnished, share prices plummeted and the media started using terms like “Data Breaches—The New Normal”. Normal? Stolen credit cards? Patient data? Customer data? That seems like an oxymoron! Does that mean that customers/clients, patients, etc. should not be concerned when a breach occurs? After all…The Media said that “Breaches are the New Normal”.

Imagine that you received an email from a customer expressing concern about breaches and wanted to know what your organization was doing to protect his/her information. How would you respond?

Concerned Customer: The Question (s)?

Copy of Email From Concerned Customer

TO: Dear Board of Directors/CEO/C-Suite Exec/Owner/Partner:

FROM: Concerned Customer

SUBJECT: Data Breaches

I have been a loyal customer for “x” years. I have become increasingly concerned about my personal information due to number of breaches that have occurred in the last year— Sony is the latest. Although your organization is not as large as some those reported by the media, my concern and question: “If It Can Happen to Them, What About Your Organization?” I have done some research and discovered that some of the breaches could have been prevented or at least minimized. I spoke to one of your employees a few months ago about my concern, I was told that your IT department takes care of that (e.g. breaches). What if the breach is outside the scope of IT or your systems? That shows a lack of knowledge/understanding on the employee’s part.

I have few questions:

  • What has or is your organization doing to protect my information?
  • Have breaches occurred? If yes, what and how?
  • Are you required to contact me if my information is compromised? If yes, How soon?
  • Are your employees trained on how to protect my information?

Thanks in advance!


Concerned Customer

The Response/Solution?

As the saying goes “It Is Easier to Keep a Customer Than to Get a New One”!Acknowledge the customers concern and thank her for raising it.

Provide specific examples of things that are or will be done. The following are examples that can be provided to demonstrate that we hear you and taking action:

Senior Management and Stakeholder Engagement

Involvement, buy-in, engagement and support by the C-Suite and stakeholders is critical. Lack of support and resources could derail the most well intentioned efforts. This will also demonstrate the importance within the organization.

Conduct A Risk Assessment

A risk assessment is an effective tool to diagnose issues within the organization. This can help us identify areas that may compromise customer personal/sensitive information. The risk assessment process should be conducted with some degree of frequency and/or when there is a major change within the organization.

Develop An Action Plan

One of the outputs from the risk assessment should be a prioritized action plan. This will demonstrate that we “know the risks”, we “take them seriously” and we are “taking action” to resolve them. There should be owners and timelines assigned to each action.

Employee Training

Developing a training plan should be one of the outputs to ensure that employees are adequately trained on how to manage/handle sensitive customer information.

Final Thought

As we have seen over the last year, data privacy should not be taken lightly! Failure to plan and implement appropriate controls impacts and causes harm to people.Let’s do the right thing and take care of our customers—we want them to “remain our customers”!


To jump start your planning—-Request Free Risk Assessment Checklist

Contact Us

We’ll make sure your organization is ready for the challenges ahead. Don’t hesitate to CONTACT US for information about how WAM Management Consulting Group can assist with your compliance efforts. We can help you assess and develop a plan that is appropriate for your organization!

Bio you

Miranda Alfonso-Williams, CIPP/US, CIPP/E, CIPM, CIPT, is a data privacy and cyber/data breach insurance specialist. She is currently a Management Consultant for the WAM Consulting Group. Miranda helps her clients develop privacy programs. She also provides training, virtual consulting and auditing. She is board certified in Privacy and holds an MBA from the University of Phoenix. Miranda has over twenty years of experience working with major corporations including GE Healthcare, Amersham Health, Nycomed and Sterling Drug. She has specialized in developing global programs and working with cross functional team. Miranda can be reached

**********************************************************************************************Ifyou liked this post, please hit the “follow” button at the top of the page so I can continue to write and share with you on a variety of topics.

Posted in Data Privacy

Home Depot, Target, and CHS: Are Data Breaches the NEW Normal?

By Miranda Alfonso-Williams, CIPM, CIPT, CIPP/E/US

9284277656 million, 42 million, and 4.5 million– these numbers represent the impact of high profile data breaches.  Home Depot is the latest major brand to be attacked.  This breach represents the second largest of all time to impact the retail sector.  TJX continues to hold the number one spot with over 90+ million impacted.

In August we learned that Community Health Systems was breached–4.5 million people were impacted. The news was disturbing—attackers were able to obtain names, birth dates and social security numbers of millions of patients.  It’s clear that hackers are more skilled, the volumes of data is growing exponentially and the targets and industries are diverse.

Employee credentials were obtained in the attack that impacted eBay.  The thieves, at a minimum, had access to and reportedly copied customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The type of information that is an identity thief’s DREAM! The obvious question, how were thieves able to gain access to employee credentials? The answer, it is not as hard as you may think! I have conducted many audits where I have found logon info and other credentials under keyboards, in unlocked drawers and pinned on bulletin boards.

Social engineering and phishing are also ways of tricking people to provide private information to gain unauthorized access to information or resources.  It seems counterintuitive that unauthorized info would be readily provided, right? The fact remains that social engineering and phishing are very much alive. Think about the last time you received an email that looked like it was from your bank or an entity where you have a legitimate business relationship.  It usually starts out with we need to confirm or some verbiage that requests your personal information (e.g. social security number, date of birth, address, etc.).

What can we do? We cannot thwart every attack nor stop an attacker that is motivated, determined and has the resources. However, we can be proactive and develop a good OFFENSE!

Workforce Training

Does your organization provide data breach training? Do your employees know how to recognize a breach? How to respond? Who to notify? What to report? Data breaches have become more rampant– it is important that our employees are equipped with the knowledge and skills to address them and to appropriately respond. Our employees are on the front lines and in the position to provide the best defense. We must provide them with the tools required to accomplish this.

Risk Assessments

Has your organization conducted a risk assessment? How would you answer the following questions? What are our risks? Have these risks been prioritized?  What are the consequences of a breach? Would we experience financial harm, regulatory consequences and/or fines? Irreparable reputational harm? Loss of business, customers? If unsure —a risk assessment should be conducted. This will help the business prioritize what needs to be managed, identify the appropriate controls/resources and develop an action plan.


Have we had an objective party audit our level of compliance? Do we follow our policies? Do we have policies? How about regulations and internal requirements? Oftentimes, we have tunnel vision when it comes to our own organizations and lack the objectivity to evaluate our own practices. Audits are an effective way to provide an objective analysis. The results can help us identify gaps, opportunities for improvement and best practices to help our program become more compliant.

We cannot avoid every risk or prevent all breaches.  However, we have a duty to our customers, stakeholders and employees to do our part to manage and mitigate our risks. Remember the best defense is a good “OFFENSE”

To receive a free copy of our checklist on “How to conduct a risk assessment”, send a request to:  I can also be contacted if you have questions or feedback.

Posted in Uncategorized

Data Breaches in Healthcare Are On The Rise: How Data Breach/Cyber Security Insurance Can Help!

DATE:                 September 17, 2014

TIME:                   2:00-3:00 P.M. (EDT)

CLICK HERE:  Watch Video!

This Webinar will cover:

* What is a breach?

* The landscape (e.g. regulatory, etc.)

* Reasons for the increase in data breaches

* Cyber threats, what to look for.

* How do we defend against Hackers and the Bad Guys?

* Considerations when purchasing data breach/cyber insurance.




Tagged with:
Posted in Data Breach/Cyber Insurance, Data Privacy, Webinar

FREE WEBINAR: Cyber/Data Breach Insurance Considerations for Small And Mid-Sized Businesses



TIME: 2:00-3:00 (EDT)



Data Breaches are on the rise! The headlines are dominated by breaches impacting large companies like JP Morgan, Home Depot, Target, etc. The fact——-the same vulnerabilities are equally if not more pronounced in small and medium businesses (SMB). Watch the video below and register for this important and informative webinar.



* What Is A Cyber Attack/Data Breach?

* Why Are Attacks On Small/Mid-sized Businesses On The Rise?

* What Is The Purpose Of Cyber/Data Breach Insurance?

* What Does Cyber/Data Breach Insurance Cover?

* What Industries Should Consider Cyber/Breach Insurance?

* What Else Can SMB’s Do To Mitigate The Risk?

* And More…….


Posted in Data Breach/Cyber Insurance, Data Privacy, Small and Medium Businesses, Webinar

5 Ways To Prevent Costly Data Breaches at Your Business

By Miranda Alfonso-Williams


JP Morgan, Community Health System, Target, and Neiman Marcus all have one thing in common—they have been HACKED! Each week another organization has become the victim of a data breach. It is clear that attacks are on the rise and the attackers have become more sophisticated. Gone are the days of Kevin Mitnick when the thrill of breaking into a system was the major motivator. Hacking and breaching data have become a major enterprise. Cybercriminals are equal opportunity attackers, the industry or size of the organization is of little consequence. Intellectual property, patient data, credit card data, customer data are now the motivators. It is clear that the game has changed! So how do we protect our organizations? We need to ensure that we are proactive and take measures to mitigate our risk. We need to also understand as long we have people and/or organizations that are motivated to attack, have the will and determination, risk cannot be eliminated! That said, the following are examples of things that we can do to proactively manage our data and reduce our risk.

1. Conduct a risk assessment

A fundamental thing that can be done— is to conduct periodic risk assessments. What type of data are we collecting? How is it used? Where is it stored? How long do we keep it? How is it secured? These are basic questions that should be considered when accessing our risk and prioritizing them according to criticality. There are a number of risk assessment tools that can be utilized like GAPP and ISTPA. Obviously, one size does not fit all organizations, it is important to pick the appropriate tool or hire a professional to help facilitate the assessment.

2. Policies/Procedures

Senior management support is critical, the policy should be a high level document that serves as their intent and support for the program. This should not be a voluminous document but one that is clear, concise and appropriately communicated. One of the outcomes of the risk assessment will be to create or modify procedures. The procedures should be prioritized and in line with the high priority items identified from the risk assessment. The objective of the procedure is to provide a “how to” document. The procedure document(s) will be more detailed and can provide a step by step description of how something should be accomplished.

3. Data Retention

Data retention can be thought of as a life cycle management process. Often we hold on to information longer than necessary. In some cases we do not have a clear policy/procedure for managing our data. Data classification is of paramount importance, it helps us to determine the value of the data that we are collecting, thereby, providing us with direction on the type of control that is most appropriate. For example, protected health information (PHI) would be classified with a higher criticality level than a quarterly financial report that was shared publically. In terms of safeguarding the data, encryption would be more appropriate for the PHI than the quarterly statement that was publically shared.

4. Training

It is important to provide employees with consistent and clear training so that they are aware of what is expected. Training can come in many forms including formal classroom based, webinars and lunch and learns. The critical component is to ensure that the intended audience and message are aligned.

5. Consider Data Breach/Cyber Insurance

Data Breach and Cyber Insurance has become more popular in light of some of the high profile breaches. Additionally, most states have enacted laws that require breach notification to impacted parties. Given the size of some of the well-known breaches, breach notification could be very costly. There are basically two types of polices; First Party Liability which covers losses sustained to your business. The second type of coverage is Third Party Liability, which covers the loss to your customers. Each insurance carrier has their own set of inclusions and exclusions so it is important to shop wisely and know exactly what is included.

These are just highlights of some of the things that can help us protect our customer’s data and help us to continue to provide value!

Contact Us:

Visit our Website

Subscribe to our Blog:

Sign up for a FREE Webinar

Posted in Uncategorized

“The Snowden Effect”….Who Can We Trust?

By M.Alfonso-Williams

Few figures have been as divisive and so quickly catapulted  to the world stage than Snowden.  To some he is the epstealingitome of a “traitor”,  vilified for revealing “secrets” that some say  could compromise “national security”.  Others revere him as a hero, we learned about surveillance of phone conversations, storage of metadata and secret government operations .  Conspiracy theorists have long believed that the government covertly collected information on its citizens.  To our surprise- an unassuming a contractor seemingly had the “keys to the kingdom” and revealed  those secrets to the world.   On the one hand some of the details were shocking. Who knew that so much information was obtained about U.S. citizens? More importantly, why?  Many asked, “why would the government want to listen to my phone calls”? Why is my information being stored? What else is being collected and stored? These questions may never be answered– but it fueled a healthy debate as to  “the right to privacy.”   Do we really have privacy? When surveillance and other techniques are utilized in the name of  “national security” when is enough..enough? Should there be more oversight in the intelligence community?  Who determines what is enough? None of these are easy questions, nor will they be answered without a great deal of debate!

As in the past, most privacy legislation has been enacted in response to something that has happened.  Whether  Eric Snowden is viewed as a “traitor” or “hero” his actions have created a timely and relevant debate on “the right to privacy.”  Privacy advocates have been leading the charge! The “privacy  debate” is at the forefront and will likely result in additional reform.  More oversight is necessary to ensure that data collection is proportional to the need and protects from carte blanche to our private information. What do you think?

Posted in Uncategorized

Back to Basics!

Privacy Beat

153372237A lmost daily we hear about a business that has experienced some type of data breach. Whether it is credit card information, social security numbers, patient info; it represents a vulnerability and exposure to those that have been impacted. Conversely, the gatekeeper of the information has an obligation to make things right, this can take the form of credit monitoring services, notification, etc. Industries like financial services and healthcare may have further obligations if specific regulations have been breached.  In most cases the breach does not reach the level of impact or scrutiny as those experienced by Target or Neiman Marcus.   The causes of these high profile breaches will serve as case studies and be heavily debated as companies work towards crafting their own privacy programs. The media has repeatedly asked the question “How could this happen”?  It is natural to examine and reflect on our practices and, wonder “if

View original post 92 more words

Posted in Uncategorized

Back to Basics!

Back to Basics!.

Posted in Data Privacy

Back to Basics!

153372237Almost daily we hear about a business that has experienced some type of data breach. Whether it is credit card information, social security numbers, patient info; it represents a vulnerability and exposure to those that have been impacted. Conversely, the gatekeeper of the information has an obligation to make things right, this can take the form of credit monitoring services, notification, etc. Industries like financial services and healthcare may have further obligations if specific regulations have been breached.  In most cases the breach does not reach the level of impact or scrutiny as those experienced by Target or Neiman Marcus.   The causes of these high profile breaches will serve as case studies and be heavily debated as companies work towards crafting their own privacy programs. The media has repeatedly asked the question “How could this happen”?  It is natural to examine and reflect on our practices and, wonder “if this can happen to big names and brands like these…what about us?” Do we have the appropriate controls? Have we examined our risks and mitigated them to a level that is acceptable?  Have we conducted audits to identify our gaps? Do we have a corrective action plans?

No one wants to be the victim of a breach! However, they often serve as a catalyst to help us examine our own programs and practices and prompt us to develop plans and actions to mitigate risk to our customers.

What do you think?

Posted in Data Privacy
Blog Stats
  • 183 hits
Follow Privacy Beat on

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 16 other followers