Data Breach Plans Must Account for Human Element

Another day, another data breach. Breaches have become so commonplace that most companies now realize it is a question of “when,” not “if.”

To successfully execute a response, every company must create a plan of action to guide the company through the crisis. But it’s important to remember that any plan will be executed by people—and regardless of who they are, those people bring human factors into an already stressful situation.

Research shows the impact that stress can have on an employee’s performance. One British study found that those experiencing short-term stress use decision-making techniques similar to small children. In other words, they may “react to problems they don’t quite understand with an emotional (snap) response, rather than a considered logical solution.”

Executing a successful breach response amid the chaos requires close attention to people and their stress, fatigue and other emotions.

Even the most seasoned executives may crack under pressure. Remember the BP executive who made an unscripted remark, wishing he could have his life back during the height of the BP oil disaster? Perhaps more than any recent example, that slip of the tongue showcases the peril in making one high-stakes decision after another for multiple days.  

Building the right crisis response team and incorporating safeguards that protect against human failings can prevent that kind of PR disaster and enable efficient and effective execution of the incident response plan.

Plan for Emotional Reactions
A few emotions likely will affect every member of the team at some point during the response. The first of these emotions is often denial, refusing to believe that this can happen to your institution. Moving the crisis team beyond this feeling quickly is key.

The team also may experience tunnel vision, an inability to consider outside viewpoints. Research shows that decision-making under stress causes people to focus on the positive and potentially ignore any downsides of decisions they make. This lopsided decision-making can bring about devastating consequences. That same research notes the difference in how men and women respond. Men are likely to take bigger risks when under stress, while women become more conservative.

All of these are important factors to weigh as you begin to build a team. But personalities aside, there are ways to blunt the impact of these emotions on executing a successful response. 

Tips to Minimize Mistakes
First, build the team and discuss strategies for how you will respond. How will you keep a customer-centric response at the forefront?

Then, practice by creating scenarios that mimic an actual data breach. This will give the crisis team an opportunity to practice decision-making when the stakes aren’t so high. 

The simulations also may point out where the team could use outside assistance. For example, your call center is used to dealing with specific customer requests and is not trained to handle calls about a data breach and identity theft. That’s where a customer response and notification provider proves invaluable. Other outside experts to consider include crisis communications, forensics and privacy counsel.

These outside experts should have plenty of experience in dealing with crises or data breaches. Look for partners, particularly in high-visibility areas like customer response, who have the expertise and capacity to handle the increased customer demand that a data breach announcement generates—a key bit of experience that your team likely does not have. 

It is important to design response plans that play to the strengths of your internal crisis team, then fill gaps with outside experts and begin to simulate actions you’ll take when—not if—a data breach occurs. 

Any crisis response plan that merely sits in a file cabinet won’t prove nearly as effective as one that is honed and practiced by the very people charged with executing it. While no breach is an easy event, your team can manage the human factor through practice.