Reacting to a Data Breach: 4 Essentials for Every Exec

A splendid article written by Bill Bourdon for the Harvard Business Review explains the four mistakes that executives make after a data breach. There is only one problem with the article: it is easier to persuade people to be positive, than to persuade them not to be negative. If you tell somebody not to do something, they think of all the reasons why they might do it anyway. If you tell somebody why they should do something, they might just agree with you. So with that mantra in mind, I have simplified Bourdon’s article and reversed its polarity, turning it into four simple principles that every executive should adopt when their business is struck by a data breach. They are:

  1. Act rapidly. The sooner you tell customers their data has been compromised, the sooner they can protect themselves. The sooner you fix your own issues, the sooner you will regain trust.
  2. Serve customers. It is their data which has been exposed, not yours. Do what is necessary to minimize the harm to them, not what you think might limit the harm to your business, because your customers are your business.
  3. Be transparent. If you cannot stop data breaches, you cannot stop the truth coming out either. Gossip and rumors compound the damage to your business, especially if later proven true.
  4. Be accountable. Execs are in charge; the buck stops with them. An exec who is humble about mistakes and who takes ownership of a problem may take steps to prevent future failure. An exec who denies responsibility cannot deliver change.

Despite its negative tone, the HBR article is still a good read, not least because it lists examples of where executives have gone wrong. You can read it here.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.