Breach! The low-tech lesson the Zappos’ mess has for Finance

All that free shipping may not seem like a bargain anymore! Here’s what any company can take away from the Zappos’ breach.

Shoe lovers everywhere were sent into a panic last week when online retailer Zappos disclosed a major security breach that impacted the information of as many as 24 million customers.

And while your company may not have nearly as large a customer database, there’s plenty for Finance to take away from this latest current event.

All the geeks have been Monday morning quarterbacking the breach and there’s a consensus on what Zappos did right and what it could have done better.

Checking out the Zappos post-mortem could help protect your company, considering that Finance is the home of some of the most sensitive information in any organization.

Easier than you’d think to happen

You might think about a data breach only happening when some nefarious hacker gets into your company systems.

But there are plenty of more common and even accidental ways it could happen: a finance staffer steps away from her desk while processing paychecks and forgets to log out of the system. Or a file containing customer data gets accidentally misplaced. All data breaches.

Assume IT has all the necessary precautions in place as well as a response plan if there is a problem.

So how ready is your department to react? Take a look at the Zappos specifics to get an idea:

What they did well: Zappos alerted customers quickly. The company didn’t wait days to start notifying customers. The clock is ticking. While you don’t want to be alarmist, as soon as your company has a strong suspicion data has been compromised, it’s time to tell employees, customers, etc.

Where they could have gone further: Zappos did speak up, but some critics felt it didn’t do so in enough different methods. The retailer chose to email customers, but could have done other things, too, like post a warning on its Website.

Where else they could have gone further: In its breach announcement, Zappos didn’t offer customers enough specifics. Of course you don’t have to say “Jamie in Payroll went to the ladies’ room without logging off and someone saw everybody’s Social Security Numbers.” But you do need to offer some detail on how it happened, what you think was compromised and how far-reaching it was.

You’d like to hope you never need to draw on any of these lessons. But it’s reassuring to know your best moves if it does.