Data Breach: Do not underestimate the power of the Dark Side

Data Breaches happen all the time. It’s difficult to get a clear statistic on exactly how exactly how common they are (a recent survey suggests that over %50 of organizations have had a breach in the past year). Last year nearly 2,300 data breaches were reported to the Office of the Data Protection Commissioner. This is only reported breaches, of course. A good number of smaller breaches would not have required notifying the DPC, and there is of course always the possibility of larger breaches where the DPC should have been notified but wasn’t . . . and the possibility of breaches that hadn’t yet been discovered.

While the most highly publicized data breaches may be due to external attacks, most breaches are caused by simple human error. According to the Data Protection Commissioner, “The principal causes of data breaches were human error and not systemic, such as the inclusion of the wrong bank statement in the wrong envelope, or the attachment of the wrong spreadsheet to an email.” Human factors require support and mentoring.

It is very important to consider the “human factor” when developing a response plan.

1. First of all, stay calm and don’t blame anyone. Our emotional response we have to finding out about a data breach we may have been involved in is similar whether we were the data subject whose information has been breached or the controller responsible for the data that has been breached – feeling loss of control, and fear about what will happen. This can easily lead to panic, but it’s counterproductive. As my favourite 900-year-old wise guy said, “Fear is the path to the Dark Side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.” And while Sith lords may have a keen sense of style, their typical response to human error is somewhat lacking.
2. Speaking of support and mentoring, responding to a loss of control by punishing your subordinates is a good way to make sure people hide data breach risks in the hope that nobody will notice and the problem will just go away. (I certainly wouldn’t have wanted to be the one to suggest to Lord Vader that there might be a security risk to the Death Star involving the thermal exhaust port. I mean, what are the odds that it will really be a problem?) This is when small breaches turn into large headaches.

When choking coaching our clients, we advocate creating a solution focussed, blame free culture where people feel free to report any risks so that they can be mitigated. Knowing the risks and finding solutions are far more important than apportioning blame. A blame free reporting culture also helps your organization to learn from near-misses, so you can fine-tune your procedures to mitigate risks as well as honing your breach response. Focussing on lessons learned gives you ways to improve your treatment of data as an asset and minimize the risk of breach.