Lessons on managing a data breach crisis (from an amateur conference organiser)

Tim de Sousa

It’s been a big year for elevenM – we’ve grown rapidly, taking on new people, developing new products and tackling new challenges.

One of my biggest challenges was actually an extracurricular one – the Annual Summit of the ANZ chapter of the International Association of Privacy Professionals (iappANZ). As specialist privacy and cyber security professionals, we have a close relationship with iappANZ, not to mention that one of our founders, Melanie Marks, is the current iappANZ President, and I’m on the Board. Which is how I ended up as the co-chair of this year’s Summit.

Law schools don’t really offer courses in event management, so I approached this completely, utterly blind. Ultimately, as a consequence of a great deal of hard work by many people, the Summit was a resounding success. But for me, the actual day was rather stressful and frantic as I tore around the place trying to do everything at once.

Basking in the relief of a completed job, it occurred to me that there were a lot of parallels between running a conference as a rank amateur and managing a data breach – high stakes, many moving parts, a lot of stakeholders, and limited time. I’ve dealt with literally hundreds of data breaches – they hold no fear for me. But this was entirely new territory. So, gin and tonic in hand, I jotted down a few of the more important takeaways.

  1. Bring in the pros, and do it early

I didn’t know anything about managing conferences. But we brought in some expert help – the good people at Essential Solutions. They’ve produced dozens of conferences. They understood all the likely friction points, had connections with suppliers and pre-existing relationships that they could leverage. This was a level of experience and expertise I didn’t have and couldn’t acquire quickly.

Having pros on the team meant they could help identify issues and problems while they were still molehills, and we were able to deal with them before they became mountains. This left me more able to focus on strategy and key decisions.

  1. Don’t be afraid to ask for help

On the day, there were a lot of small details and moving parts that had to be dealt with. Because I was frazzled and anxious, I insisted on managing all of this largely by myself so I could sure it got done – everything from making sure speakers got miked up, to timekeeping, to moving chairs on stage. This was, in fact, way too much for one person to do. Like data breach management, event management is a team sport.

I actually had numerous people throughout the day – iappANZ Board members – ask me if there was anything they could help with. And I smiled and thanked them and said we had it all under control. I think I did this largely on autopilot – my mind was so occupied with my lengthy to do list, I didn’t have the mental capacity to delegate. Which brings me to my next point…

  1. Plan ahead and allocate responsibilities

If you can’t think clearly enough in the thick of it to delegate, you need to do it before the crisis arrives. If I had known what would have to be done, asked for volunteers and allocated tasks in the lead up to the Summit, I would have been much better able to spread the workload.

A good data breach response plan can help you do all of this – it can include the contact details for pre-vetted expert support, set out the key steps of your organisation’s data breach response so you don’t have to scramble to work out what to do next in the heat of the moment, and clearly set out roles and responsibilities to avoid uncertainty over who should do what.

We weren’t able to do a dry run on the conference, but you can run simulated data breaches and other training to ensure that your breach response team understands the plan, and their part in it.

And when you’ve successfully managed the breach and the dust has settled, don’t forget to pour yourself a gin and tonic.

If you need help developing a data breach response process, or advice on managing a breach, you can call us at 1300 003 922 or email us at hello@elevenM.com.au.