A recent data breach at Snapchat made security experts scratch their heads. How does a company that markets itself as a secure messaging provider end up as the victim of a data breach?
There are a number of explanations. First is that few organizations nowadays are immune to a data breach (just ask Microsoft – the MS Office blog was hacked this week). But there's another reason. Tech analysts point out that too many companies don't prioritize cyber security during development.
Start-ups and developers are focused on making marketable products that are robust enough to handle rapid growth. But by focusing so much on performance, these developers often overlook security.
Don't make the same mistake with your clients. Many clients are anxious about cyber security. Having seen the damage done to Target's reputation after its highly publicized breach, your clients probably want reassurance about cyber security, but don't know enough to ask the right questions. It's up to you as their IT consultant to discuss these issues with them.
When you discuss data breaches, makes sure you do the following…
- Talk about cyber risks early and often.
- Make sure clients understand the different kinds and causes of a data breach.
- Take control of communications after a data breach.
For more tips on how to work with clients who have experienced a breach, check out the post, “Help Clients Build Trust after a Data Breach.”
Early and Often: the Best Time to Talk Data Security
Talking about data security early is crucial for IT freelancers, developers, and small businesses to both protect their liability and build the most functional, secure software possible.
Security experts lament that data security is often an afterthought. Of course, developers want to have secure products. But they focus first and foremost on issues of scalability and function.
As an IT consultant or developer, emphasize the importance of software testing and security infrastructure. Build time into your schedule for adequate testing and make sure that clients know what's at stake if they skimp on data security.
From a marketing perspective, addressing security concerns early can also be a strategic way to represent your IT business. Clients are concerned about data security, but might not express it to you. Proactively presenting your business as security-focused helps reinforce your professionalism and ability to handle a variety of challenges.
Cyber Security 101: Defining the Data Breach
With the news full of reports of data breaches affecting household names, clients are likely familiar with the basic concept of a breach. But the kind of data breach that gets news coverage (i.e., a huge company getting hacked) isn't the only kind of breach.
In fact, there are many different kinds of data breaches. Remind clients that data breaches can also result from…
- Accidental disclosure of sensitive information.
- Physical theft of equipment (e.g., a laptop).
- IP theft.
- Employee theft of data, trade secrets, etc.
Understanding these other kinds of breaches is vital to your clients’ ability to fully protect themselves. According to a survey done by the Ponemon Institute, 35% of data breaches are caused by human error. With many breaches caused by laptop theft, improper security settings, and dishonest employees, simply adopting stronger security protocols can prevent a costly data leak.
What to Say When a Breach Happens
Okay, let's assume the worst has happened. Your client has been hacked and they’re calling you for answers. What should you say after a breach? What are you legally obligated to do?
We highly recommend that you become familiar with your state’s data breach laws. Like, immediately. If a client calls you, you should know immediately what state law requires. (For more information about your legally-mandated data breach response, see the article "What's Your Data Breach Notification Plan?").
After a data breach, the breached company will likely have to post information publicly to their customers / users / clients and possibly reach out personally to the affected parties. In all their communications, they should make sure to convey the following information.
- When it happened.
- How it happened.
- What data was stolen.
- How thieves might use the stolen data.
- What good news, if any, there is (the data might be encrypted or difficult to use for identity theft purposes).
- What affected customers can do next (sign up for credit monitoring services you will pay for, etc.)
- How customers can contact security representatives from your business if they have any more questions about the breach.
In short, after a data breach it’s important to help your client regain a sense of control. Be clear. Explain exactly what happened and what you are doing to fix the problem.
What Insurance Protects You From Data Breaches? (Answer: E&O Insurance)
Unfortunately, one of the discussions you and a client might have could be about lawsuits. They might ask if you have insurance protection to cover a data breach lawsuit.
If your client loses business because of the breach, feels they've been wronged, or seeks other damages, they might file a lawsuit against you. When that happens, E&O Insurance can cover your legal expenses and pay any damages the judge awards your client.
To get an idea about E&O cost and coverage options, check out our E&O sample quotes page.