Crisis management: Firms losing victim status in data hacks
Data breaches have emerged as a major concern for companies, the government and the public, writes Associate Professor Daniel Laufer.
Examples of high profile crises resulting from data breaches include ACC accidentally sending sensitive claim information to unauthorized individuals, and a hacker attack on Sony Pictures in the USA that experts believe involved the North Korean Government.
The causes for data breaches vary, and they range from company negligence to hackers infiltrating an organization’s information systems. Whether the cause of a data breach involves the company or external entities has an impact on the reaction of the public to the crisis.
An example of a highly publicized data breach that happened a couple of years ago involved ACC. Sensitive claims information was sent by ACC via email attachment to unauthorized individuals on a number of occasions. This was caused by human error, and the public was justifiably outraged. People wondered why there weren’t any safeguards at ACC to prevent this from happening. It is also worth noting that employees can also cause data breaches intentionally. For example, employees have accessed confidential tax and medical records of celebrities in the USA. Victims of the unauthorized release of medical records include Michael Jackson, Whitney Houston and Britney Spears. As a result of highly publicized celebrity data breaches involving medical records, the State of California passed a patient privacy law in 2008.
When data breaches are caused by human error, organisations should consider automating the process. For example, if ACC had automated the distribution of claims information, this would have greatly reduced the likelihood of a data breach. A manual system involving email attachments is prone to human error, which is much less likely to occur in an automated system with safeguards.
In the case of employees improperly accessing sensitive information, an organization should take decisive action against the employees, including dismissal if necessary. With the proliferation of electronic medical record systems, it has become easier to track employees who have accessed medical information without authorisation. Disciplinary action also sends a strong signal to other employees that inappropriate behaviour is not tolerated at the organisation.
In addition to data breaches caused by actions of employees in an organization, a data breach can also occur because of unlawful actions taken by external parties. For example, a hacker attack at Sony Pictures resulted in the disclosure of sensitive internal documents. These documents included unflattering comments made by Sony executives about movie stars. The media reported extensively on the revelations that resulted from the hacker attack, which was very embarrassing for Sony Pictures. However, unlike the data breach at ACC, there was sympathy for Sony’s predicament. Law enforcement officials in the USA described the hacker attack on Sony as unprecedented in its sophistication. The United States Department of Justice also issued formal charges related to the Sony Hacker Attack in 2018 against a North Korean citizen. The charges alleged that the North Korean citizen was working on behalf of North Korea’s intelligence agency.
It is worth noting that the case of Sony Pictures should be viewed as an exception, and companies should not expect that the public would be sympathetic to a company’s predicament during a hacker attack. With hacker attacks becoming more common in today’s digital environment, the public increasingly is asking whether the hacker attack could have been prevented. Did the company invest sufficient resources in safeguarding sensitive data from a hacker attack? Over the years, the narrative in the media has shifted from the company as a victim, to the company failing to prevent the hacker attack from occurring in the first place.
What should a company do if it is a victim of a hacker attack? The first priority is to protect its employees and customers. The company needs to inform them of what happened, and help its stakeholders minimize the harm caused by the security breach. For example, if the hackers have stolen sensitive credit card information, the company should advise its stakeholders to cancel their credit cards as soon as possible. Any delay in notification will cause more harm to the company’s stakeholders.
Governments have also become involved in protecting the public from data breaches, and in a number of countries there is legislation requiring data breach notification. For example, in Australia, there is mandatory data breach notification, and organizations are required to notify affected individuals if there is a risk of harm. In New Zealand parliament is discussing changes to the privacy act, however currently there is no mandatory requirement for data breach notification.
In addition to protecting its stakeholders, a company needs to convince the public that it is taking decisive action to reduce the likelihood that another data breach will happen again in the future. Hiring a credible independent third party to investigate the cause of a data breach is a good first step. However, it is also important for the company to implement the recommendations of the investigation. Customers will not be forgiving if another data breach occurs as a result of ignoring the findings from an investigation.
Read the original article in the New Zealand Herald.