2014 can be characterized as the year of the breach. Major brands were hit, massive amounts of data was compromised, reputations tarnished, share prices plummeted and the media started using terms like “Data Breaches—The New Normal”. Normal? Stolen credit cards? Patient data? Customer data? That seems like an oxymoron! Does that mean that customers/clients, patients, etc. should not be concerned when a breach occurs? After all…The Media said that “Breaches are the New Normal”.
Imagine that you received an email from a customer expressing concern about breaches and wanted to know what your organization was doing to protect his/her information. How would you respond?
Concerned Customer: The Question (s)?
Copy of Email From Concerned Customer
TO: Dear Board of Directors/CEO/C-Suite Exec/Owner/Partner:
FROM: Concerned Customer
SUBJECT: Data Breaches
I have been a loyal customer for “x” years. I have become increasingly concerned about my personal information due to number of breaches that have occurred in the last year— Sony is the latest. Although your organization is not as large as some those reported by the media, my concern and question: “If It Can Happen to Them, What About Your Organization?” I have done some research and discovered that some of the breaches could have been prevented or at least minimized. I spoke to one of your employees a few months ago about my concern, I was told that your IT department takes care of that (e.g. breaches). What if the breach is outside the scope of IT or your systems? That shows a lack of knowledge/understanding on the employee’s part.
I have few questions:
- What has or is your organization doing to protect my information?
- Have breaches occurred? If yes, what and how?
- Are you required to contact me if my information is compromised? If yes, How soon?
- Are your employees trained on how to protect my information?
Thanks in advance!
As the saying goes “It Is Easier to Keep a Customer Than to Get a New One”!Acknowledge the customers concern and thank her for raising it.
Provide specific examples of things that are or will be done. The following are examples that can be provided to demonstrate that we hear you and taking action:
Senior Management and Stakeholder Engagement
Involvement, buy-in, engagement and support by the C-Suite and stakeholders is critical. Lack of support and resources could derail the most well intentioned efforts. This will also demonstrate the importance within the organization.
Conduct A Risk Assessment
A risk assessment is an effective tool to diagnose issues within the organization. This can help us identify areas that may compromise customer personal/sensitive information. The risk assessment process should be conducted with some degree of frequency and/or when there is a major change within the organization.
Develop An Action Plan
One of the outputs from the risk assessment should be a prioritized action plan. This will demonstrate that we “know the risks”, we “take them seriously” and we are “taking action” to resolve them. There should be owners and timelines assigned to each action.
Developing a training plan should be one of the outputs to ensure that employees are adequately trained on how to manage/handle sensitive customer information.
As we have seen over the last year, data privacy should not be taken lightly! Failure to plan and implement appropriate controls impacts and causes harm to people.Let’s do the right thing and take care of our customers—we want them to “remain our customers”!
GET A FREE CHECKLIST
To jump start your planning—-Request Free Risk Assessment Checklist
We’ll make sure your organization is ready for the challenges ahead. Don’t hesitate to CONTACT US for information about how WAM Management Consulting Group can assist with your compliance efforts. We can help you assess and develop a plan that is appropriate for your organization!
Miranda Alfonso-Williams, CIPP/US, CIPP/E, CIPM, CIPT, is a data privacy and cyber/data breach insurance specialist. She is currently a Management Consultant for the WAM Consulting Group. Miranda helps her clients develop privacy programs. She also provides training, virtual consulting and auditing. She is board certified in Privacy and holds an MBA from the University of Phoenix. Miranda has over twenty years of experience working with major corporations including GE Healthcare, Amersham Health, Nycomed and Sterling Drug. She has specialized in developing global programs and working with cross functional team. Miranda can be reached firstname.lastname@example.org
**********************************************************************************************Ifyou liked this post, please hit the “follow” button at the top of the page so I can continue to write and share with you on a variety of topics.