No matter what precautions your startup takes, the painful reality is that no cybersecurity system is perfect. Despite your best intentions, someone on your team is bound to make a mistake or a hacker is eventually going to figure out a new trick. That’s when you have a problem. Even companies like Facebook, Yahoo! and Equifax have had problems with data breaches.
It’s also why one of the most essential components of cybersecurity is a communication plan after a breach happens, Sandra Fathi, president and founder of Affect, a public relations and social media firm based in New York City, said.
“The company has to get ahead of (the breach) and disclose it,” she said.
Not only do all states have laws requiring disclosure, often in very specific ways, but customers have experienced enough breaches by now that they tend to take it in stride unless a company betrays trust by trying to hide it.
“Customers have become very forgiving of companies that are upfront about this,” Fathi said.
Contrary to the assumption that most data breaches are caused by larcenous teenagers in foreign countries, most breaches happen due to an inadvertent oversight like a page with customer data ending up on a web page that can be found by a search engine, the theft of an employee’s laptop, or the destructive actions of a bitter former employee.
This was repeated by several speakers at the 2018 Cybersecurity Chicago conference. You can learn more about breaches at Breach Level Index, which lists recent data breaches as well as the level of risk to the affected customers.
No matter the cause, Fathi explains that as an entrepreneur, you have a duty to disclose the breach to your customers. In most cases, the state law where the customer lives governs the process, and some states have very specific requirements. One way to prepare for this step is as simple as taking the time to find out what requirements you have to meet before you have a problem, saving you time and energy if and when a problem does occur.
Crisis plans are not difficult to put together well ahead of time with a clear head, according to Fathi. Several law firms, such as David Wright Tremaine, cover various state notification requirements. Your bank or insurance company may have standard forms or offer services you can implement. Several communications consulting firms offer services for data breaches, so you can draw up lists long before you need them.
“Where these plans go awry is where there’s a lack of transparency or an appearance of a cover up,” Fathi said.
For entrepreneurs who may not be familiar with crisis communications, Fathi explains that the basics are readiness, response, reassurance and recovery. While it is painful to disclose a problem to your customers, it is the right thing to do, and you can quickly send out a response that reassures your customers if it has been prepared ahead of time. Many cybersecurity issues are hidden and taken care of behind the scenes without the customer’s knowledge, but that doesn’t necessarily mean that the problem is resolved.
Preparation has another big advantage: it can help position your startup for dealing with larger companies, either as suppliers or as partners. Being able to show a cyber risk assessment and a plan for dealing with a problem can provide assurance to a larger company that your business understands the importance of data protection.
“It’s when, not if” you have a data problem, Fathi said, so having a plan in place to handle it will go a long way toward the longevity of your business.