Let’s get very real for a moment. Data security and data breaches are a big deal. As we have recently seen with Yahoo and Anthem, the impact of an organization “losing” user data can have a lasting financial and legal impact years after the actual breach occurs. For global organizations, the issue can quickly become complex as the following countries have legal requirements for notifying users if (and when) a data breach occurs:

• Australia
• Austria
• Belgium
• Canada
• Colombia
• France
• Germany
• Ghana
• Indonesia
• Ireland
• Lesotho
• Luxembourg
• Malta
• Mexico
• Netherlands
• Norway
• Peru
• Philippines
• Portugal
• South Africa
• South Korea
• Taiwan
• Turkey
• United States of America (48 states only)
• Uzbekistan

In the United States, only Alabama and South Dakota do not have data breach notification requirements. The other states have individual requirements that are quite complex to reconcile.

If your organization’s digital marketing team collects information — from names and email addresses to more complex data sets such as addresses, credit card information, or citizen identification numbers — you should have a policy to address that collection. This policy clearly ought to state the organization’s position on collecting such information, how information will be stored and protected, and what actions will be taken when a breach occurs. Remember that breaches can be small, such as an employee departing and mistakenly taking data or large, as in an external hacker gaining access by circumventing security. The range of circumstances can vary, but a breach response plan should be in place and tested.

With a functional (or active) data breach response plan you will be equipped to react when a data breach occurs for your organization. When the reality of a data breach occurs for your organization, you will already be equipped to deal with the outcome. After all, breaches are becoming more common regardless of industry or size of organization, according to a recent report. Those organizations unwilling or unprepared to face this reality, will likely suffer greater embarrassment and financial impact than that of Yahoo and Anthem. Without a plan, the next wave of breaches may be so real that one interrupts your basic business operations and you will be unable to recover.