The Equifax data breach of 2017 and the company’s subsequent handling of the crime was a watershed moment in data privacy and consumer rights in the United States. Later that year Facebook was found to have allowed a marketing company access to the details of lives of millions of its users around the world – without their permission.
The Equifax hack resulted in the exposure of the personal details of nearly 150 million users in the United States and the United Kingdom. All 50 states soon after launched a class action suit against the credit monitoring service. Meanwhile, Facebook’s laissez-faire approach to data privacy resulted in the compromise of the private information of nearly 90 million users of its social media platform.
Since that time the CEOs and executives of the companies have sat before Congressional leaders to explain how their data privacy protections had been so cavalier. As consumers become better educated about how companies are using their data and how vulnerable their records are state and federal governments are taking notice of corporate data privacy policies.
Leadership at the board level needs to review their internal data privacy policies and procedures for dealing with the public in the event of a breach. Breaches of data privacy can result in public relations nightmares, the loss of customer trust, erosion of a company’s customer base, and impact the bottom line.
Companies can take some steps, though, to avoid the catastrophe that data breaches can present to their image and their revenues. Clear employee guidelines on the use of data, frequent cybersecurity audits of sensitive pools of data, and well-exercised relationships with experienced PR firms will help companies get through the bad patches privacy breaches can create.
One of the most important policies employees need to be aware of and receive practical training in involves their responses to unsolicited emails. The overwhelming majority of hacks result from employees clicking on links embedded in emails sent to their company email addresses. Hackers call the technique “phishing”. Often, the links present information to staff that users consider important or relevant to their work or just plain interesting. When users click on the links programs download malware onto corporate networks. The malicious payload may then spy on users, collect user credentials to access other parts of the network, or to break into databases that contain customer details.
Organizations also need to provide staff with clear guidelines on the creation and management of credentials they use to log on to company devices and applications.
Frequent Cybersecurity Audits
Many of the most high-profile data exposures have occurred because companies are migrating their corporate data to the cloud. Amazon, Google, and Salesforce.com offer the most popular cloud services for corporations. However, the flexibility, cost savings, and scalability the technology offers comes with great responsibility. Most of the data breaches on cloud platforms were due to ignorance or misconfiguration of controls on the services.
RedLock, a cybersecurity vendor, estimated that 58 percent of organizations using cloud storage services such as Amazon S3 and Microsoft Azure Blob storage exposed the services to the outside world.
IT departments need to have quarterly – if not monthly – audits of cybersecurity configurations of services they use outside the perimeters of their corporate networks. The rapidity of deployment of cloud-based implementations and the mushrooming volume of applications demand greater oversight of data critical to the viability of organizations.
The Spin Doctor Will See You Now
Hope will not make data breaches go away when they occur. Instead, company leadership needs to face up quickly that a crime has been committed against it and act fast to quell customer dismay. Equifax took six weeks to disclose the breach, long enough for the hackers to sell much if not all the social security numbers, birth dates, and home addresses of the millions of consumers in Equifax’s databases. Yahoo took two years to disclose its breach in 2014, for which the UK charged it with a penalty of more than US$300 million in June 2018.
Listed companies in particular should already have Public Relations firms on retainer in case of such catastrophic incidents. Boards need to have developed and rehearsed plans that deal with communications to consumers and employees to reassure markets. Dealing with such events is far beyond the function of traditional marketing departments, which are not trained to deal with disasters.
The healthcare industry has strict federal guidelines about how to deal with patient medical records, called the Health Insurance Portability and Accountability Act (HIPAA). Organizations in other sectors would do well to develop similar guidelines for their own companies. Otherwise, businesses may find themselves on life support in the event of a major data breach.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, IT Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information