Data breaches happened less frequently in the past. With the increased activity in ransom-ware, data breaches are now becoming a daily occurrence. Major corporations like Sony, Domino’s and Home Depot have been hacked. It is believed that there will be more data breaches in the coming months and years. If, as an employer, you find yourself in the unfortunate situation of a data breach, how are you going to communicate the breach to your employees? What happens after the security breach?
Employers should notify the breach to employees as soon as possible once they have all the facts about the breach. Employees have the right to know about the breach incident directly from the employer, rather than from the rumours circulating. On the other hand, the companies are also required to make sure that workers will keep the shared information strictly confidential or at least until it is officially announced.
An Inside Job?
It is essential to ensure that employees are receiving the right information in a timely fashion. Tell them that concerned department has started investigations about the matter; without divulging too much details into the breach, so as not to alarm the culprit in case it is an inside-job.
An Outside Attack?
Share more detailed information (as they become available) about the breaches if your investigation confirms that the cause is not internal. Update them as frequently as possible. This will ensure that the workers are not worried about their personal information. Personal information, like: address, social security numbers, birthday, salary amount, etc. could be recipes for an identity theft.
You need to think about Data Protection Act (DPA). In the UK, for instance, businesses must adhere to DPA. This act ensures that employers holding personal information on their workers must keep the information safe and secure. DPA is very helpful to avoid information breaches.
Businesses must report data breaches to the Information Commissioner in the UK. It also makes sense that employers inform and update their employees at the same time. If it is confirmed that employees’ personal information have been compromised, then the employer should offer support to its affected employees. Advice such as what the next steps should be and what to do if unauthorized credit card transaction is posted in their account. Detailed procedures should be described so that the victims can take immediate action whenever they face identity theft or unauthorized bank transaction.
It would be better to develop a database or provide a fully dedicated hotline so the staff can call and ask questions about the breach.
Official Press Release Statement
It is important to communicate with all employees, informing them that they are not authorized to speak to the press media about the incident at all times. Tell them that it is a standard process and everyone should obey this because the breach is related to company’s reputation and business.
Remember that data breaches are juicy stories. Reporters and bloggers love to write about them. Many true and false stories will be written. The key is to share the details with employees and release an official press release. You can win the trust of your employees by sharing timely information with them. This will give them more confidence and they will not share the details outside the company. The last thing you want is for the employees to learn about the breach from a third-party website or other traditional media.