With only 72 hours available to you when you receive a data breach report, there is a Nightmare Scenario which could happen to you. It’s called a Bank Holiday weekend.
It forms part of our training. Yet still, when I talk to business owners and managers they frequently dismiss the possibility of the Nightmare Scenario happening to them. With a waft of a hand and the utterance of the word “pfaff”. Or something like it…
This Bank Holiday weekend, it happened to one of our clients.
It will be the Friday of a Bank Holiday weekend. You’ll be closing down for the weekend. By 5pm anyone with responsibility for anything important has gone. Probably for a weekend break in a remote seaside or wilderness location with no mobile signal and no wifi.
Then it happens. The skeleton staff on duty either don’t see it or don’t know what to do with it – at 5.15pm a report of a data breach comes in by email, phone call, website contact form or private message.
Nobody is back on duty until 9am Tuesday morning. Your 72 hours ran out long before. Nobody noticed, nobody knew what to do, nobody could get hold of the people who needed to know, nobody responded. If the breach is real, it remains a gaping hole through which valuable personal data is leaking out into the world.
Too late, you find out what has happened. To late to take remedial or defensive action to protect your data subjects.
I bought something from you yesterday and this morning my card details were used by someone else!
We tell the story of the Nightmare Scenario to demonstrate how short a period 72 hours really is. Whilst it obviously could happen we never imagined it would.
Yet at 4pm last Friday, it did (last Friday marking the start of the May Bank Holiday weekend). A customer walked through the door of the clients’ premises and almost shouted,
“I bought something from you yesterday and this morning my card details were used by someone else!”
Fortunately the client is a Key Member. Their customer facing employees are privacy aware, trained and had a process to follow.
The clipboard with the checklist and recording form was whipped out, the details noted and the reported incident was investigated.
False alarm. Turns out for this one it wasn’t our client at fault. No further action needed. The incident was recorded and the outcomes noted.
The report was met with the calm, confident response which can only come about as a result of training, awareness and procedures which are followed.
The customer was reassured. No harm done.
If it can go wrong, one day it will go wrong. What matters is how you respond.
How will your business respond to the Nightmare Scenario?