What Happens When There is a Security Breach or Incident?
By Carl Bleich
Author’s note: You’ve done all of your research, spent hours going through different options, seen an amazing demo, and are finally ready to purchase your customer data platform. But one last step looms…final approval. Make sure that you are armed with information you need to prove that your CDP is safe and secure. This is the fourth article in Bloomreach’s series “Don’t panic: A marketer’s guide to customer data security”. This series will help educate marketers on why security is so important right now and give them the proper tools to help ease the nerves of risk-averse colleagues who may not fully understand the benefits of a CDP.
In your role as a marketer for your company, you have surely seen the news reports about security breaches or other incidents related to security in your field and others.
Whether it’s the leaked customer data, the ensuing process to “clean up” the incidents, or the gaudy fines levied to responsible businesses, it’s become blatantly obvious that your company wants to avoid a security breach at all costs.
But what actually happens when there is a security breach or incident? The issue takes place, and then what follows it? What is the process like?
To encourage you to continue your diligence and attention to detail when working with customer data as a marketer, let’s break down what a security breach actually looks like from the inside.
So grab your lucky rabbit’s foot or put on your lucky socks (just to be safe!) and let’s start by imagining a scenario that hopefully never happens to any business you ever work for.
A Scary Scenario
Your company’s Chief Information Security Officer, Compliance Officer, or Data Protection Officer has been notified of a data breach. That individual then gathers additional information about the situation and determines that customer data is involved and there is a risk to your customers.
The General Data Protection Regulation (GDPR) now requires the following question to be answered: is the breach likely to result in a risk to individuals’ rights and freedoms? Since the controller has already determined there is a risk to customers in our hypothetical situation, the answer here would be yes. If it were no, there would be no requirement to notify appropriate authorities and the breach would just need to be documented internally.
That question now leads to another required question: is this a high risk scenario for the individuals involved? If yes, it is time to take the painful next step of notifying the affected parties (customers, partners, or other employees usually) so they can protect themselves accordingly. If no, the only notification requirement is to notify the competent supervisory authority.
After the proper notifications, it’s time to start picking up the pieces and doing damage control with key stakeholders. It’s also time to potentially invest in better staff training around security or a tool that helps track marketers’ actions to help prevent future issues.
And, exhale. While you hope to never find yourself in that situation, knowing the GDPR-required steps just in case can be nothing but helpful.
Breaches Don’t Always Look Alike
For the sake of our scenario, we did not define what the specific breach was. But it is important to note that all data breaches are not alike and cannot be treated as such.
For example, a marketer’s laptop might be stolen out of the office over a long weekend. The appropriate response to this incident is largely determined by the contents of the laptop.
Did the laptop contain the personal data or information of customers or employees? Was there no data on the laptop at all? Was there data on the laptop but it was encrypted? The answers to these questions determine how your company must move forward with cleaning up and reporting this incident.
If data on the stolen laptop can be accessed by the thief, the incident needs to be reported to the appropriate parties. If the data is encrypted or was not on the laptop to begin with, just make a record of the incident internally.
Other examples of security incidents or data breaches include: a stolen USB drive, a cyber attack on an online service containing data, a ransomware attack, personal data being sent out accidentally, a direct marketing email being sent in the “to” or “cc” fields so the email addresses of other recipients can be seen, etc. Each of these situations must be handled by following the aforementioned steps in the original scenario.
These situations also must be handled quickly. According to GDPR, the Controller has 72 hours to report the incident to the appropriate authorities if the incident requires reporting. While that might sound like ample time, those 72 hours can go very quickly in a crisis.
Data breaches and/or security incidents can quickly become “all hands on deck” situations as it takes the effort of multiple groups of people to recover all of the necessary information needed to make the 72-hour reporting deadline.
“There a lot of people who need to put aside everything that they are doing and immediately begin working on the breach because the 72-hour clock is ticking,” said Lenka Gondova, Bloomreach’s Data Protection Officer. “There is a lot of investigating to do. You also eventually have to notify everyone that is impacted. This is very challenging and a difficult but necessary process.”
Failing to Comply can have Serious Consequences
What happens if you miss the 72-hour window? Bad things happen. Just ask Twitter.
Twitter was given a $546,000 fine for missing the 72-hour reporting window in January 2019 in an incident that disclosed users’ private tweets. The fine was given by Ireland’s Data Protection Commission in December 2020.
The main message for marketers in all of this? Be as careful as you can with customer data and do everything possible to avoid a security breach. Doing that, and working with our world-class Customer Data and Experience Platform (CDXP) will help you be as prepared as you can possibly be to combat security breaches and incidents.
Bloomreach is Here to Help
Bloomreach’s commitment to security is unrivaled in the CDP space. Need proof? Bloomreach was the world’s first GDPR certified SaaS company and holds top security certifications to ensure that our customers have full protection when using our platform.