IT Director EHS Brann Discovery
Share this content

What should you do if you lose customer data?

20th Apr 2010
IT Director EHS Brann Discovery
Share this content

Loss of customer data can lead to stiff fines and loss of trust. But if the worst should happen, there are ways to mitigate the impact.  

In recent years we have all talked a lot about data governance and data security. We have shared our views on the vulnerability of personal information after a series of high profile data breaches and debated what companies need to do to ensure that they have effective data governance strategy and practices in place. What we have been less eager to talk about is what would happen if you or your agency lost your data.
I can feel you squirming in your seat already. It’s human nature to avoid talking about difficult things. We actively avoid talking about death, redundancy, illness or anything remotely uncomfortable. Yet I feel this is a conversation we need to have, because as a business the consequences of not keeping client/ customer data safe and secure and ultimately of losing it are serious, with the potential to damage a company or brand irreparably.  
People are the key to delivering successful data governance within a company, be it agency or client side. Yet people can also be the biggest factor in any data loss. Human error will happen whether we like it or not and however we control against it. The consequences and longer term ramifications of a data loss are all to a large degree within your control and will be determined by the way in which you handle the situation. Fundamentally a data loss does NOT have to mean game over. 
Prevention is always better than a cure…   
Yes, that old chestnut! It would be obvious to state that a number of preventative actions should be taken before engaging an agency to process or manage your data, or that an agency handling data should have in place. Most of these steps should have been raised within the initial ITT or RFI document, both of which should feed into any subsequent contract. 10 key questions I would recommend you get satisfactory answers to before letting anyone near your data are as follows:
  1. Can you supply a copy of your data transmission policy or security policy?
  2. Do you have any security awards, certification or industry recognition?
  3. How will data be physically secured?
  4. What logical security measures are in place to protect my data?
  5. Are backup procedures effective and how often have these been tested?
  6. How do you ensure regular backups are taken and where are these stored?
  7. How are agency staff who have access to your data vetted?
  8. Do you use any third parties to process or store data?
  9. What data awareness training and education is conducted?
  10. Do you have a data breach management policy or process in place? If so, can you supply a copy?
Asking for a data breach or loss contingency plan may seem unduly cautious and it’s another one of those difficult questions to ask, as we don’t like to talk about when things go wrong. However, given the potential consequences of a data loss or should the agency cease to exist, it is vital there is a contingency plan in place so you can understand how your business would be affected and the level of risk you are exposed to.
Also, do not be afraid to ask for physical evidence in the form of a document, process, training or test log to support any of your questions. It is essential that you distinguish between secure data practices and where lip service is being given. Your data is an asset and is one of the most valuable marketing tools at your disposable; remember that and ensure you are 100% satisfied with the hands you will be leaving it in. 
If the unthinkable does happen…
There is great value to be had from following the 4 Cs: Cool, Calm, Collective and Constructive. Nothing will be achieved from panic. Immediately form a core team with a lead individual and set about establishing the exact facts. These are likely to include:
  • What is the extent of the breach?
  • Was data stolen or lost?
  • What is the data journey, where has it been, include file servers, email accounts, ftp servers, remote locations?
  • How much data?
  • What type of data has been lost? E.g. is it sensitive? Does it contain financial information?
Protect yourself and your customers…
Once you have the facts, the next phase in any data loss situation is to create a mitigation plan to ensure you and your customers are protected and inconvenienced as less as possible. Start thinking about the following questions:
  • If the media (laptop, USB, hard copies) is lost, what can you do to find it?
  • Can you contain the loss, is there some damage limitation exercise which can be deployed
  • If the data contains account numbers, can these be changed?
Depending on the type of loss you may be required to notify regulatory bodies. For example, if the data was stolen and could be used to fraudulently manipulate individuals accounts, you should notify the FSA and ICO as these bodies do not look favourably if there is a delay in notification and the FSA has a statutory objective to reduce financial crime. The new Data Breach Notification law is likely to be coming into force soon, which makes it mandatory to report a data loss. So, it’s important that proactive measures are taken now.
Communication is one of the most important aspects of data loss management, but often one where people fall down. A communication plan for all internal and external stakeholders for the purposes of data recovery, business impact control and media relations is essential. This warrants a paper all on its own, so I won’t go into more detail now apart from re-iterating this is essential and if done badly will severely affect the reputation of your company/brand.
The road to recovery…
Hopefully there will be a successful outcome in terms of retrieving the lost data and it may transpire that the loss was due to a misunderstanding or confusion in the relationship between you and the agency/data holder.   
After the initial incident resolution, it’s essential to spend time understanding why and how the breach happened with a formal review, positively communicating steps which have been taken to ensure it will not happen again.  If an external party was responsible for losing your data (agency, supplier), I’d recommend using this time to audit the data you and your agencies/ suppliers hold, re-review who needs access to this and how the data is being used. Once the review is over you need to ask yourself, are you able to continue the relationship with your agency or has this become untenable?
And lastly…
As an organisation (touch wood, with everything crossed) we’ve not lost any data (our own or our clients’). However, we’ve been through the significant process in terms of time and resource in planning for the worst. We have worked through different scenarios, we’ve looked at the worst that could happen and we’ve had those difficult conversations none of us want to have, but we feel in a better place for doing so. And it’s enabled us to continue on the ever changing voyage of data, governance and ultimately discovery armed with a map, a manual, skilled crew and both paddles a little more confidently.
Paul Eveleigh is head of IT at EHS 4D Discovery.

You might also be interested in

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.