You’ve often heard, don’t sweat the small stuff. When it comes to your organization’s response to a data breach, regulators say you’d actually better sweat that small stuff. There’s no better indicator of problems with the big stuff than ignoring the small stuff, according to several regulators who participated in a round-table discussion of corporate-data-breach-response strategies.
Ryan Kriger, Assistant Attorney General of Vermont, tells the stories of two vastly different corporate responses. In one—the best breach notification he ever received—a president of a local company called him personally on a Monday to report that the company had discovered a breach the previous Thursday. They had already notified the FBI and were working closely with them, notifications were going out the next day, and they had pulled the hard drives. In the other case, Kriger was the one calling the company because he learned about a breach incident. The company denied that the breach had even occurred.
“When I hear that, I know that this is a business that might wind up needing an enforcement action,” Kriger said. “In 99 percent of cases we decide very early on whether the company might warrant action.”