Know the law
According to Rowlands, after the breach occurs and you learn about the violation and associated fines, the next step is one that involves your legal department. It's important to know not just the violation fines and the data breach that occurred but how it impacts the business in general.
"Make sure you know the law," he says. "It might be tempting to try to keep things quiet – or it might be just as tempting to want to inform everybody, in an attempt to look like the good guys. Before you do either of those things, make sure you know what the regulatory and contractual obligations are.
"It's very likely that there will be regulators to notify. You may need to involve law enforcement. It's probable that you have insurers to inform (you do have that policy in place, don't you...?). When you know all these things, move as fast as possible to notify those who are involved or, if you can't be certain, those who might be involved."
Fix the problems
After analysing the legal ramifications, companies should then move into a remediation phase – fixing the problems. This requires a security evaluation to determine what caused the breach and a thorough process of fixing the data breach problems in accordance with the regulations.
"Chances are you will also be instructed [as part of the compliance violation notice] to take proper measures to avoid a recurrence of the issue," says Redmon. "Demonstrate to the regulator that you're taking it seriously." Redmon adds that the fines can be higher if the same violation occurs again and the company did not take adequate measures to resolve the issue.
Work with the media
Another step to take once you have learned about a compliance fine is to notify the local media. Redmon says this is a matter of prioritisation. "You have to find out what laws have the shortest timeframes for reporting," he says. "Make sure you have an internal Public Relations person or contract with an outside PR firm to help coordinate both internal and external communication. You'll need help with explaining the incident to employees, preparing talking points in case they receive questions from the public, and also a point of contact for media inquiries."
"Remind the world that the best security in the world still may be compromised," he added. "Even a company using reasonable efforts to secure its data and environment is at risk. Communicate opening and plainly, but only after you have secured the facts and have a plan.
"Second, comply with disclosure requirements, demonstrating to regulators and the public that you've taken the matter seriously. Third, conduct a post-mortem review to determine what changes need to be made going forward in order to prevent a recurrence."
Of course, companies should also work with employees and educating them on the compliance violation and why it occurred. Due diligence means making sure everyone at the company understands what happened and how the problem will be resolved.
