Data Breaches Are Big News and Bigger Trouble. Here's How to Prepare
7 Aug, 2019By: Mary Helen Sprecher
Last week brought the unsettling news of the latest data hack, this one involving some 100 million Capital One credit cards. In addition to credit card applications, social security numbers and other information was compromised. Since that time, StockX, the online market for retro sneakers, has also fallen victim to a data breach. And looming over everyone's head is the Equifax breach as well.
As an event owner, the idea of someone stealing sensitive data is a nightmare. Factor in the knowledge that most event owners have registration information (just credit card payments but names, addresses and other contact information, including that for youth athletes) and it’s an even bigger nightmare.
Unfortunately, many event owners continue to turn away from trying to mitigate or avoid the potential problems a hack can cause, using the concepts of “Nobody would bother with our event” and “We’ve never had that issue.” The bad news is that those two statements are the reason hacks take place.
So what should event owners be doing? Three steps – assessing threats, lowering your liability and creating an action plan that can be used in case of crisis – will go a long way toward helping out.
Have a System Check: Not by you, not by your computer-literate neighbor kid but by a professional organization whose job it is to examine and locate weaknesses in your system and recommend updates that can mitigate potential problems. A multitude of companies on the Internet claim to be able to do this; however, it is inadvisable to pick one at random. Additionally, because the cybercrime defense industry is proliferating, an enormous number of trade and professional associations exist. (We’re not about to recommend just one or two). And unfortunately, the Internet is rife with articles describing how to get started on a lucrative career in cybersecurity.
So how to find a reputable provider to conduct an audit and fix potential problems? Reach out to your colleagues. Talk to the company that set up your website. Discuss with your corporate lawyer. If you work with a housing bureau, they may have recommendations as well. Professional associations you belong to may also have good advice.
Remember that because cybersecurity threats evolve, reviews of your system will need to be performed on a continuing basis. We have already seen that not only are new hacks hitting the news, but system vulnerabilities can be exploited in areas as innocuous as airport lounges.
The ultimate goal is to compile a list of steps your contacts have taken, making sure to ask what services were performed, how long they took, how often they are updated and the overall cost. When you make your selection, it won’t be a random choice.
Make Sure You’re Covered: Insurance companies that specialize in planned events, such as sports, often offer special coverage for those who want to guard against damages, according to Lorena Hatfield, marketing manager for K&K Insurance, who noted, “Cyber liability insurance does exist; K&K includes it in some, but not all of their program coverage but we really aren’t the experts and don’t offer it as a “stand alone” policy as other insurance companies do."
If a Breach Does Happen… Obviously, you’re hoping against hope that it won’t happen but just in case, the Federal Trade Commission has provided a full action plan. A few of the key points are as follows:
Make sure your professional cybersecurity company is aware of the breach immediately. Follow their instructions such as changing passwords and locking access to computers where information has been stored.
- Notify your legal counsel without delay and follow recommendations.
- Notify law enforcement and ask to be connected to the appropriate department to handle the matter
- Contact your insurance provider who may need a copy of the police report
- Consider providing information about the law enforcement agency working on the case, if the law enforcement agency agrees that would help. Identity theft victims often can provide important information to law enforcement.
Always have a communications plan set up in advance to reach out to all those whose records you have kept: This will lay the groundwork, should you need to get the word out about a data breach in the future.
The action plan will communicate the news of the breach to all those affected, including not just athletes and their families but vendors, employees, customers, investors, business partners, athletic trainers, sports commissions, convention and visitors’ bureaus and other stakeholders. (The FTC link includes a sample letter that can be sent out.) Anticipate questions that people will ask and create a FAQ section.
Information acknowledging should be posted on your website as soon as it is finalized. Good communication up front can limit concerns and frustration, and could be helpful in efforts to save time and money
Among the information that should be posted:
- A description of the breach, including the fact that certain records may now be at risk.
- Significant dates: When did the breach occur? Is there any way of knowing which records were compromised?
- Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. The FTC advises that people whose Social Security numbers may have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports. The IRS Identity Protection Specialized Unit can also be reached at 1-800-908-4490. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed.
- Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to IdentityTheft.gov.
- Encourage people who discover that their information has been misused to file a complaint with the FTC, using IdentityTheft.gov. This information is entered into the Consumer Sentinel Network, a secure, online database available
- Describe how you’ll contact consumers in the future. For example, if you’ll only contact consumers by mail or via a direct e-mail from a specific address, then say so. If you won’t ever call them about the breach, then let them know. This information may help victims avoid phishing scams tied to the breach, while also helping to protect your company’s reputation. Some organizations tell consumers that updates will be posted on their website. This gives consumers a place they can go at any time to see the latest information.
Above all, don’t delay in releasing information to those affected. Gather all information as quickly and efficiently as possible and refer to your communications plan. Having a plan and being able to follow it will provide the best possible road map through the troubled time ahead.