A large data breach of consumer or employee information can negatively affect any organization but—for small and medium-sized businesses with more limited resources than the Targets, Yahoo!s, and Sonys of the world—such breaches can take a very significant toll. Depending on the actor involved, there could be a real risk to victims' financial security (as in the case of the Equifax breach of consumers' personal and credit-related data), and victims' personal security (as in the U.S. Office of Personnel Management [OPM] breach of background investigation records). Though responsible organizations should do everything in their power to ensure data is protected in the first place, they also should prepare a plan to ensure prompt victim response.
Timely official notification of potential victims is vital. Public communication in the wake of a breach involves timely and honest communication about what data was compromised and who was affected. The Equifax breach was discovered in July 2017, but was not announced until September 2017, which delayed the ability of consumers to take action to protect themselves. A 2015 RAND Corporation study found that 44 percent of American consumers surveyed first learned about breaches that affected them from sources other than the organization that suffered the breach. Timely notification also requires having accurate contact information for the victims. Two years after the OPM data breach was announced, OPM acknowledged that 10 percent of victims (about 2 million people) still hadn't been notified officially, due to wrong addresses or other factors. Finally, a company should consider protective remediation options ahead of time—such as credit monitoring and defenses against identity theft—so those measures can be rolled out quickly if appropriate. By being prepared with a victim response plan, small and medium-sized businesses will be able to act quickly to notify and better protect affected consumers or employees.
Sina Marie Beaghley is a senior international/defense policy researcher at the nonprofit, nonpartisan RAND Corporation. Previously, she was the director for intelligence and information security issues on the National Security Council staff and a member of the White House Disclosures Task Force.
This commentary originally appeared on The Wall Street Journal’s Cybersecurity Bulletin on October 2, 2018. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.