3 Ways to Turn a Data Breach into a Positive Experience

A crisis can be a great opportunity for examining weaknesses and building a stronger company.

Posted by Dawn Lomer in Corporate Security, Information Security on December 8th, 2011

In the world of electronically stored data, information security is critical. Consumers’ most personal information is contained in the files held by the service providers with which they do business. It’s health data, it’s financial records and it’s other personal identifying information that consumers trust their providers to keep safe.

So when there’s been a data breach, the provider’s finances and reputation are both on the line and the future can look pretty bleak for those on the inside. That’s when it’s most important to focus on what can be done to improve the systems that led to the data breach and turn the experience into an opportunity to strengthen the company.

“Data breaches can actually be a very positive opportunity for an organization, believe it or not,” says Christine Arevalo, Director of Healthcare Identity Management at Idexperts, which specializes in data breach care. “They force folks to open their eyes and look at risks in a different way.”

Getting the Budget

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

One way companies can leverage data breaches for positive change is to use them to divert money into security. Crises get the attention of the whole organization and reinforce the importance of prevention.“They can assist organizations in finding budgets for things that they didn’t think they could before,” says Arevalo.

“Data breaches are unplanned and unbudgeted. And suddenly the purse strings open and there’s money to handle the situation. So if you’re a privacy officer and you’ve been trying to get the attention you need… it’s kind of a good thing.”

Eliminating Silos

Another way to profit from a data breach is to use it as a catalyst to improve internal communication. Arevalo suggests having a third party review the results of the internal investigation, once it’s complete, then convene a group of stakeholders within the company to discuss it.

“So as opposed to managing this type of situation completely siloed up in risk management or IT or privacy or compliance, let’s get all these people at the table and let’s talk to everyone about their perspective,” she says. “And I can guarantee you that that process forces some crucial conversations about how people really feel about the data that’s been lost, the risk to their organization, other types of legal matters the organization is dealing with… that they aren’t talking about.”

Building Relationships

Although communication within the organization is a big part of fixing the problem, a data breach can also be used as a way to show your members, customers or patients how much you care about them, how much you value their privacy and how much you are concerned about the fact that this happened, adds Arevalo.

Letters advising victims of a data breach are usually generic and impersonal. “They get sent out a million at a time. You really don’t feel like a person when you get something like that. You feel like a bar code on the bottom of a piece of paper.”

Arevalo advises open communication with the victims to make them feel less like numbers and more like people. A company can use the opportunity to strengthen its customer loyalty by listening and responding appropriately.

“We learn a lot from social media about the perceptions people have, about the letters they receive, their call centre experience, about the type of services they are being offered, or not, and the tone of how they are communicated to,” she says. Responding to this information with understanding and backing it up with action can gain customer loyalty that remains long after the crisis is a distant memory.


Dawn Lomer
Dawn Lomer

Managing Editor

Dawn Lomer is the managing editor at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.