Data breaches: Know your flaws, prepare your plan, recover trust

Jim Steven, head of data breach response at Experian, explains why quick action after a data breach is essential, but can only be achieved by planning in advance.

Research from Experian and ComRes suggests one in five businesses of all sizes has experienced a data breach in the past two years.

However, businesses are not powerless to at least mitigate the damage of a data breach. The monetary and reputational toll a data breach takes on a business entirely depends on how much it has planned for all eventualities.

A prepared business understands the primary consideration: damage limitation. Acting quickly and strategically before and following a data breach helps an organisation regain security and protect its brand.

Clean data vs bad data when you need it

In the event of a breach, the importance of clean and up-to-date customer data cannot be overstated. Experian’s new statistics show that only 47 per cent of businesses of any size say they have clean customer and/or employee data, while only a quarter review it once a month. The majority, 90 per cent, review it at least once a year.

This will cause unintended consequences. The problem with uncleansed customer data is that it can severely hamper an organisation’s ability to act efficiently in the event of a breach. Finding out new customer details during a crisis is time-consuming, damaging to reputations – and actually potentially impossible. The right time to be seeking up-to-date customer details is before an emergency strikes, not immediately after.

Feel the need for speed

Beyond speed of response to a data breach, it’s also important for organisations to bear in mind what customers expect in terms of a response time in terms of a notification. Our research shows that 52 per cent of people expect to be contacted and notified less than 12 hours after a breach. Only 20 per cent of businesses, however, would expect to contact their customers within that timeframe.

Clearly there’s a large mismatch, and one that may be difficult for companies to bridge. This is where data cleanliness, data hygiene and robust and well-defined data processes come into play, as they can support the very best response and earn the goodwill of customers affected by the worst.

With a thoroughly well-defined and practised data breach response plan in place, none of this would be a major worry. There would be a team or third-party partners in place to deal with notifying customers in an incident, and all within the legal timeframe.

The plan may also provide for a customer call centre that has the capacity to upscale to deal with the response, with pre-prepared, legally approved information to hand. Getting ahead of a problem being the best way to solve it, after all.

Having a pre-arranged response plan in place is therefore critical when racing against the clock following a breach. It allows a business to act quickly and prevent further data loss and effectively communicate to those affected. It means you can know your vulnerabilities, prepare your plan and recover trust. And during a crisis, that’s a strong position to be in.


Jim Steven is head of data breach response at Experian.