The right way to respond to a data breach at your company will vary depending on the size of the breach, the type of data that has been compromised and the laws in your region. But the experiences of a growing list of high profile companies—think Equifax, Uber, Home Depot, Target and Yahoo—have given the world clear examples of what not to do when private customer data is exposed. Here's a quick list:
1. Don't wait too long to inform the public
Waiting too long to inform affected parties about a data security breach can result in a badly damaged reputation, lost customers and a significant devaluing of your company. Just ask Yahoo—the former Silicon Valley giant that fell victim to the largest known data breach in history.
All three billion Yahoo user accounts—including names, email addresses and passwords—were compromised in a hack attack that took place in August 2013. The company suffered a second attack in 2014 that resulted in 500 million user accounts exposed. But Yahoo didn't inform users about the full extent of the breaches until 2016—three years after the first hack.
For more on the Yahoo hack, listen to Breach, a new investigative podcast series that digs deep to find out who was involved, how it happened and what the consequences are for businesses and consumers alike. Here's a quick preview:
A major data breach can even cost you cash. Former Yahoo CEO Marissa Mayer was docked more than $13 million in the wake of the Yahoo data breach scandal.
"This is the first time we saw real financial repercussions for a breach of this magnitude," said Nicole Perlroth, a cybersecurity reporter for The New York Times and a featured guest on the Breach podcast.
2. Don't dump your stock
If you're a C-level executive or someone else with inside knowledge of a data breach, it's a bad idea to dump any stock before notifying affected parties. This may seem like a no-brainer to most executives—but it appears one former Equifax employee never got the memo.
Earlier this month, Jun Ying, the former CIO of Equifax's U.S. information solutions business unit, was indicted by the U.S. Securities and Exchange Commission (SEC) for insider trading in the wake of the company's massive 2017 data breach. The indictment alleges that Ying sold $950,000 worth of stock just before Equifax announced the breach. Equifax reports that hackers gained access to private information on approximately 148 million consumers in the attack.
“Corporate insiders who learn inside information, including information about material cyber-intrusions, cannot betray shareholders for their own financial benefit," Richard R. Best, director of the SEC’s Atlanta Regional Office, said in a statement.
3. Don't try to pay off attackers
Ride-sharing giant Uber's IT systems were breached in an October 2016 attack that resulted in the theft of personal data on 57 million customers and drivers, including names, addresses and phone numbers. Uber responded by paying the hackers $100,000 to destroy the data and keep quiet about the incident.
Predictably, the criminal hackers took the money but didn't keep up their end of the bargain.
Uber finally disclosed the breach more than a year later and was fined for breaking notification laws. That same week, Uber fired Chief Security Officer Joe Sullivan and Craig Clark, a senior lawyer, saying they led the response to the incident.
4. Don't ignore company culture
Sometimes, a data breach gets it start in company culture. In the months leading up to the 2013 Yahoo data breach, CEO Marissa Mayer spent loads of money trying to transform the struggling company into a media giant. She made big changes and brought in star power like Katie Couric. But those changes may have come at the cost of security.
"Security is almost never sexy, but after your building burns down you sure wish you had spent the extra money on the fire escape," said Bob Sullivan, co-host of the Breach podcast. "Imagine how many information security professionals they could have hired for Katie Couric’s salary."
And of course, don’t forget to keep up to date with all patching and security protocols—so you don’t have to deal with a breach at all. To train employees on how to spot hacks, check out companies like Wombat Security Technologies, KnowBe4 and the InfoSec Institute.
To learn more, click on the image below and listen to the Breach podcast now: