Authored by Scott C. Hall and David (Duff) Beach.
The Equifax data breach has dominated news headlines for weeks, and Equifax will be dealing with the legal and financial fallout from the breach for many years. While many companies may be relieved not to be in Equifax's position right now, no company is immune to data breaches. Those who fail to learn key lessons from Equifax's mistakes may find themselves in the next headline. Accordingly, companies in every industry, and of every size, that maintain any type of sensitive personal data—whether it be of customers, employees, or data maintained on behalf of others—should study the Equifax situation and ensure that they are better prepared for a data breach incident.
1. Everyone (yes, everyone) will experience a data breach.
When it comes to data breaches, the question is not if, but when. This makes the more important question how will you respond? Data breaches do not only result from malicious hackers or phishing scams. They can occur when employees inadvertently access and/or mistakenly share personal data. They can occur when company laptops, flash drives, or even personal phones or tablets that contain company data, are lost or stolen. These kind of events occur in every company in every industry. As a result, everyone needs to prepare to respond. Indeed, the manner in which Equifax handled this most recent data breach—including: (1) the several weeks that elapsed before notifying affected individuals,(2) the executives who sold stock during the period between discovery of the breach and notifying the public, and (3) the company's offer to provide credit monitoring services to affected individuals, but only in exchange for a waiver of certain legal rights against the company—indicates that Equifax was not sufficiently prepared to deal with this kind of a data breach.
Every company should have a basic data breach response plan in place that at a minimum identifies who (among IT, HR, business operations, public relations, and other personnel) will respond to the breach, what their respective roles will be, and who will be the ultimate contact point and decision-makers with respect to the response. The plan should also include a timeline and enumerated steps to follow regarding discovering the scope of the breach, investigating the cause, remedying or mitigating the breach, notifying affected individuals, and contacting law enforcement as necessary.
Because of the widely publicized nature of Equifax's data breach, as well as other recent high-profile data breaches, no company will get a "free pass" or be able to argue that they had no idea a data breach could happen to them. In effect, these high-profile breaches put everyone on notice that data security must be a priority for all. Any company that chooses to put its head in the sand, does so at its own (certain) risk.