Saturday, 23 July 2011

Managing data breaches – the human factor

No-one ever seems to write about what effect breach management can have on the people actually tasked with managing the breach. I’m incredibly fortunate to be able to have experienced a couple of incidents where bad people have acquired and abused confidential personal information, and so I do appreciate what a toll it can take on those living at the centre of the storm, those who are managing the incident.

A great deal of early activity is accompanied by a rush of endorphins around the body. Everyone feels energised and up-beat at the prospect of dealing with something slightly out of the ordinary. The key players are surrounded by others who are keen to learn more about the incident, and particularly to learn how they might be affected by the incident. Just what was it that went on? Did it happen on their watch, or was the incident the result of issues that had actually occurred before they were in post? And what can they do to help? The 24 hour media means that new developments are reported at an astonishing pace.

The second wave of activity is accompanied by a sense of endurance – the pressure remains, and as people become more aware of what it is that they are required to do, the tone of the responders changes. From high level principles to a more granular approach - now more detailed plans need to be developed, and all of the consequential issues need to be addressed. Life gets more difficult, as decisions have to be taken on who should be doing what. It’s not just about words, the plans have to turn into concrete actions.

The third wave of activity is accompanied by a sense of exhaustion – the pressure not only remains but it builds, if the key players aren’t able to keep their energy intake high enough. Somehow, as well as this crisis management stuff, people have to eat, sleep, get other important pieces of work done, and give their brains enough time to focus. I can find it really hard just to focus on a single issue at a time, and make a decision. I’ve found that if I concentrate on too many things at once, the brain paralyses and I can’t make good decisions. Or any decisions, actually. But this is no time for self doubt. This is a time for relying in instinct and the good will of colleagues with whom a great working relationship has been built up over the previous months.

In essence, it’s a time for fully appreciating the need for team work. And letting everyone in the team know that they are all appreciated, and that others are depending on them to play the role that has been assigned to them. The business has to prepare itself for the questions that will be asked by the potential victims of the breach, when the business is in a position to share whatever news it has with the victims.

But before this must be developed a common narrative. Everyone must be clear about what happened, how it came about that it might have happened and, criticically, why the business has decided that this is the time to notify victims or potential victim.

If I were a victim, I would want the business to be able to explain to me how it had affected me, and what I could do to learn more about the incident, or make sure that the effects of the incident could be mitigated. I am sure that I would feel let down – so the business will have to reassure me that their current business processes are sufficiently robust that these unfortunate incidents can’t happen again. I’m going to be impressed by the ability of the business to look after me, and really give me a sense that they care about me. And that will take a lot of effort.

So, to look after a victim, the business has to prepare itself. And this can involve a considerable amount of teamwork from people who have never played in that team before. But, if the business has values which allow people to work closely together in a non-judgemental manner, and the business culture is one which truly cares about its customers, then the business is in a good place. Just how customers will react is another matter. And one which I won’t discuss in this blog posting.

If I have a key learning to take away from the breaches I have had the honour of dealing with, it would be that the immediate personal needs of those managing the incidents can be overlooked. They are only human, too. They are not machines that will continue to operate at maximum efficiency 24/7. The human body needs time to recover from what turns into an extremely traumatic process. It needs to be rested, fed and watered, regularly. It is not designed to operate in a highly stressed environment for extended periods of time.

I feel I know what it’s like to operate in a war zone. And now I want some rest and recuperation, before another period of intense activity commences.