Three Questions to Ask About Your Company Before and After a Data Breach

Your company will inevitably suffer a data breach. As long as there is valuable data to mine, there will be people to mine it.

  1. Is a data breach an exercise in damage control?

Companies experiencing a data breach may sustain negative repercussions, but the good news is that a quick response to mitigate risks is also an opportunity to strengthen systems and build transparent client relationships that will bring long-term returns.

  1. Who do you protect during a crisis?

Imagine a hospital full of doctors whose only directive is to concern themselves with the hospital’s interests, rather than those of the patients they serve. Does that sound right to you? Not at all.

It’s the same in business. Yes, businesses need to pursue their own self-interest, but they must also keep their customer’s interests front and center. For companies that collect personally identifying information from their customers, this means keeping that data confidential and safe from those that don’t need the information to deliver services. Many states have prompt breach reporting duties, as do federal regulators. Companies should promptly report breaches so clients can mitigate their risks.

  1. Is “client-centric” a customer service and sales concept?

Compliance has been referenced as quality assurance, making sure the company’s reputation and brand is protected. A client-centric approach to compliance supports a healthy balance of pursuing the company’s and the customer’s interests. When mistakes happen, make sure any remediation efforts are focused on fixing mistakes and assessing client impact. A cover-up or failure to report as needed can cause more losses of client loyalty and brand credibility, along with added costs of Compliance investigations.

Can Your Compliance and Governance Program Stand Up to Scrutiny?

People sometimes justify their questionable ethical decisions by using what behavioral economists call “fudge-factor thinking.” When deciding how to behave in tough situations, many rely on two rationalizations: (1) there isn’t a real victim, and (2) everyone else is doing the same thing. Is your company’s governance addressing “fudge-factor thinking”? If it is, it’s time to refresh your compliance and governance program. Revamp training to refute these rationalizations; show the specific impact of unethical behavior and examples of employees who choose to act in the best interests of customers. Foster a program that incentivizes good employee behavior and continues to debunk any reliance on “fudge-factor thinking” to justify unethical behavior.

Remember that Compliance and governance are not just subject to scrutiny of government and regulatory agencies, but to the scrutiny of customers, investors, and the public whose trust your company relies on.

 Not Prevention, but Preparation

A data breach can bring on a crisis of trust that can damage the bottom line. Although you can’t ever fully prevent a data breach from occurring, you can prepare for the aftermath should it ever happen. Asking yourself these questions about your company may help you see where the cracks are that can be filled.


For further reading, check out my bookHow to Deliver Triple Bottom-Line Compliance. I go in-depth into how Sustainable Governance affects the bottom-line, the strategies that help take Compliance from the basics to beyond, and the skills that COs need to succeed in this new paradigm.