In 2012, 2644 data breach incidents were reported worldwide, and it is thought that the statistic represents only 10% of actual cases. Of these reported data breach incidents, 97% of them were avoidable.  In total, 267 million records were exposed, $5.5million was the average cost of each breach and the overall impact of reported data breaches is $8.1billion.

These sobering statistics preceded the data loss prevention talk by Craig Spiezle, Executive Director & President of the Online Trust Alliance during the Best Practices track at Interact 2013.

Craig Spiezle

In a data-driven economy, more personal information on consumers is being collected, and likewise, data breach repercussions are becoming more severe. Perhaps, one of the most embarrassing things for companies that experience a data breach is explaining why they possess such information on their consumers in the first place – which might account for why such a large percentage of breach incidents go unreported. In the European Union, Internet service providers have 24 hours from the moment of the discovery of a data breach to report the incident to the authorities.

All companies must operate under the assumption that the data they possess includes confidential information subject to regulatory requirements and that there will come an unfortunate day that they will experience a data breach. As such, security and privacy by design needs to be part of your corporate DNA. Data stewardship is everyone’s responsibility and data security policies need to be continually reviewed. The absence of a plan is clearly disaster.

Zappos, for example, was a brand that floundered in the wake of a data loss incident. With no clear internal communication or pre-prepared phone scripts to help their staff deal with anxious customer enquiries, the brand struggled to deal with phones that were ringing off the hook when 24 million records were compromised.

In the US, there are 46 different regulations that deal with data breaches – this means that in a data breach scenario, your business would need to notify 46 different states, all of which have different processes for reporting the breach.  Conversely, the European Union, is moving towards one regulation and one notification point. If a data breach is specific to one country however, you might not need to notify everyone.

Data Security Best Practices

While you may not know when you will have a data breach, there are ways to make sure that when the time comes, you are able and ready to deal with it.

  • Create an incident response team.
  • Have a draft email that is ready to go out to partners in the event of a data breach.
  • Create a relationship with your local FBI so you know how to contact in the event of a breach.
  • First responders and PR teams must be briefed and prepared in the event of data loss eg. media and social monitoring.
  • Consider a contract with a forensic company beforehand or a company with data breach remediation.
  • Think about where funding will come from and consider insurance coverage.
  • Create a website section for Frequently Asked Questions and consider translating it into different languages.

A data loss incident can cause significant damage to brand reputation.  In a keynote at Gartner Symposium/ITxpo 2013, Goggle Executive Chairman Eric Schmidt said that a significant data breach at Google Inc. would be “devastating” and threaten the company’s existence.

And in an industry that is being increasingly shaped by mobile behaviors, consider too that mobile has the potential to become compromised. The 2013 Data Protection & Breach Readiness Guide published by the Online Trust Alliance covers the topic of data breaches in far more depth and detail, so do download a copy of the report if you are interested in learning how to safeguard your brand!

Want to find out more about how to keep your email secure? Get the How DMARC Is Saving Email eBook and find out how this new authentication standard is putting an end to email abuse.

How DMARC Is Saving Email

In light of the recent security breaches making the headlines, our own CMO Dave Lewis has posed eight points for consideration for CMOs, and what the possibility of a breach could mean for them and their own marketing activities.

Says Lewis: “This isn’t a pretty picture relative to the preservation of trust, but uglier still are the potential consequences—customers being unwilling to share the data that makes digital communication and commerce work because they no longer trust companies to keep it safe. Equally devastating would be a breakdown in the trust relationships we have with each other and an inability to effectively work together as partners in this ecosystem. These are the things that worry me if the breaches continue. They jeopardize our ability to generate revenue and build customer relationships as CMOs, putting our individual and collective success at serious risk.

So what can we do about it?”

Read the whole thing here at the CMO Council’s Marketing Magnified.

My friend Ken Magill has been right to call out some of the over-the-top (arguably stupid) assertions made around the Epsilon breach. But there’s another category of statements that offend my sensibilities – those that take this unfortunate incident and an issue core to the well-being of our industry — customer trust — and twist them to their competitive advantage. Or try to, anyway. (more…)

What I want to talk about here is how we move forward in addressing data security — more precisely, a framework for addressing the issue, not the particulars. First, I’m pleased to see various industry organizations mobilizing to form task forces, etc. to address this challenge — DMA, ESPC, MAAWG, OTA, etc. And equally impressive are the companies that have rushed to publish prescriptive advice (and even product solutions) for better management of customer data. Whether we totally agree with what’s being proposed is immaterial. It’s constructive movement in the right direction. (more…)

There’s been a lot of ink spilled recently regarding data breaches among the email service provider community. Some comments I’ve found to be well-reasoned and constructive while others to be alarmist (even borderline irresponsible) or drilldowns on side issues that don’t really matter much at this point. But what concerns me most are the voices that minimize what’s happening. (more…)