Covering the People in Data Exposure

by Richard S. Levick and Gary A. Pudles

Data exposure incidents have too often been treated as primarily IT matters. Yet if prevention and response strategies are to be effective, they must involve people: employees and customers.

People cause data exposure. Risk sources include unscrupulous employees who have direct access to data and IT personnel who are motivated by their ability to crack data and network security.Other sources are staff members that lose, or fail to secure, devices that often contain vital data including cell phones, laptops and PDAs.

Here are several steps to lower your risk:

• Drill personnel on the importance of safeguarding data-carrying equipment and important files.
• Hire supervisors who can manage effectively. They will inspire loyalty and trust from employees who will then report suspicious behavior.
• Step up monitoring and implement password protection for specific files.
• Arrange for whistleblower hotlines answered by trusted third parties so you can find out about data exposure before your customers or regulators do.

The best preventative measures will not completely eliminate data exposure incidents. Your organization must be ready to respond to them, and to the resulting negative publicity that could damage your reputation.

Customers feel threatened when these disasters occur.Was my information warehoused with that marketing firm? Could they have my Social Security number? Here's how to respond:

• Use yourWeb site to inform customers of their rights and opportunities ahead of a crisis. They will then be more likely to grant you permission to make mistakes.
• Act with speed and decisiveness when a crisis occurs. It is more important to show leadership than to have all the answers.
• Plan a media strategy through your site and blogs. Anticipate the data exposure problems you are likely to have and create the site now. Do not wait for the crisis to occur. Identify those in the blogging, academic, legal, nongovernmental organization and government communities who are likely to be sympathetic and helpful. These steps will allow you to quickly unveil a site and have accurate blogs and supportive third-party spokespersons.
• Train or outsource a data exposure hotline team.Outsourcing provides quickly adjustable capacity to meet call volumes and make large numbers of calls without major investments.
• Consider self-reporting and even apologizing to the public. It will show that you are a good actor, thus dramatically lessening how long a story stays in the news.
• Seek support now from the professional and trade associations to which you belong. It will show that your company is actually part of the solution, not the problem.

By applying effective solutions to minimize people risks and maximize response, your organization will lower the odds of data exposure events happening, and increase the chances of surviving these disasters if they occur.

Richard S. Levick is president/CEO of Levick Strategic Communications, Washington, DC. Gary A. Pudles is president/CEO of The AnswerNet Network, Princeton, NJ. ReachMr. Levick at rlevick@levick.com and Mr. Pudles at gary@answernet.com.