Ten steps to build a data breach response plan for your business

Posted by Matt Simon on Nov 26, 2015

Does your organization have a data breach response plan in place?  And if you do, how effective do you believe this response plan would be if a data breach incident occurred?  It's an unfortunate fact, but a fact nonetheless, the data of more and more businesses is being targeted because it's so incredibly valuable.

According to a recent study by thePonemon Institute, businesses affected by data breaches increased by 10% from 2013 to 2014. So it should be no surprise that businesses are responding by establishing a data breach response plan, as these numbers increased by 12% from 2013 to 2014.

However, the startling statistics from this study are that only 30% of those businesses who had a data breach response plan in place, said that their organizations were effective in developing and executing a data breach response plan.

And 78% of the study’s respondents said they do not regularly update their data breach response plan to account for changing threats or changes within their organization.

Businesses cannot simply check a box to say they established an incident response plan – they need to test their plan, practice it regularly and improve their plan on a regular basis.

Creating, implementing and improving your plan

Because a typical data breach involves a long list of moving parts that often need addressed simultaneously, it’s important to establish a response plan that takes into account a variety of scenarios and responsibilities that could come into play.

There's no one-size-fits-all data breach response plan. That being said, we have outlined 10 suggested steps that will help you create, implement and improve upon a data breach response plan for your business.

1. Research any legal issues

Research any federal or state laws that may apply to your business and keep this information up-to-date.

The current regulatory framework in the United States does not provide a national uniform data breach notification standard. The few federal regulations that do exist only cover specific industries, such as health and financial related data breaches.

The Federal Trade Commission (FTC) has also used its authority under Section 5 of the FTC Act to take enforcement actions related to data security. This regulatory structure makes compliance complex, so individual states have attempted to create more targeted laws regarding data breaches.

California led the way in 2003 by mandating that any company that suffers a data breach must notify its customers of the details of the breach. Today, 47 states and the District of Columbia have data breach notification laws in place.

Only Alabama, New Mexico and South Dakota have yet to enact such laws.

Verification laws vary from state to state, making it important for companies to understand the applicable laws in their state.

Congress continues to debate a move toward a national data breach standard to replace the patchwork of state and sectoral laws, but progress has been slowed for various reasons… imagine that!

With data breaches being a relative new comer to the business world, the regulatory framework is fluid and complex. It‘s important for companies to always be knowledgeable on current regulations and to have a strategy in place before a breach occurs.

2. Research any prominent or emerging technologies

Consider any technologies that could impact the scope of a breach or impact how you could protect yourself from damage.

The evolution of technology is shaping the world of data breaches, which is why it’s important for companies to be aware of these emerging technologies.

For example, according to a study conducted by Experian Information Solutions, the global cloud is a growing threat and is adding a new level of complexity to the data breach response process.

How so?

Due to a rise in cloud computing, there are significant quantities of data that are traveling across national borders, and large data centers are hosting data from citizens all over the world.

While the cloud allows for global data flows, the data breach response laws are local. It will be a challenge for companies to provide protection to customers, keep up with each country’s regulations, and maintain compliance with all of them.

3. Assemble an internal response team

Identify your internal response team in advance by establishing roles and responsibilities.

Ambiguity and uncertainty can be devastating to a breach response. By establishing a response team and outlining roles and responsibilities ahead of time, you will keep everyone on the same page during a breach incident.

When assembling your team, choose representatives who are strong and capable and will ensure an efficiently executed response.

Start by selecting your incident lead. This individual will be responsible for managing your company’s overall response efforts, and the rest of the team.

Your incident lead should be able to act as an intermediary between executives and team members, outline a budget and resources needed to respond to the breach, report progress and problems, and much more.

Other possible team members may include:  an executive leader who is a key decision maker in the organization; someone from your IT or security team; a legal or compliance expert; a public relations or communications expert; someone from Human Resources; and someone from customer service.

Carefully consider your team members since a well-constructed data breach response, plan no matter how comprehensive and detailed, is only as good as the team that’s responsible for putting it into action.

4. Assemble an external response team

Depending on the size of the data breach and the size of your organization, you may need to rely on an external response team. Determine your strategic partners, establish a relationship with them, and make a list of those partners ahead of time.

From there, document the relationships in the response plan along with an explanation of the process for determining whether the individual strategic partner needs to be involved in a breach response.

Some examples of external partners include:  PR firms; insurance advisors; computer forensics experts; law enforcement; credit monitoring companies; or call centers.

You could also secure a proven breach resolution partner, who specializes in developing a response plan and resolving a data breach.  We can help you with selecting a reputable firm.

5. Outline a strategy for identifying and containing the breach

Acting quickly and strategically following a data breach is extremely important – identify who will be responsible and the steps they should follow.

Identifying a breach, determining its size and scope, and ultimately containing the breach are all critical to an effective response.

By identifying who is going to be responsible for these functions (whether internal and/or external response team members) ahead of time, it will allow everyone to respond quickly without panicking.

Some of these steps should include recording the date and time that the breach was discovered and when the response efforts began, alerting everyone on the internal and external response teams, preserving any evidence, stopping additional data loss, reviewing protocols and much more.

6. Outline a notification strategy

Ensure that notification to any injured parties is provided in a prompt fashion by outlining your strategy ahead of time.

Depending on the information accessed, a breach can involve federal and/or state laws. Develop a strategy that determines how the notice is to be provided, who is responsible for making sure the applicable notification requirements are met, and the process to be followed.

Consider streamlining this process by preparing template notices, which would be in accordance with potentially applicable notification laws. In the event that a notification is required, those template notices could be customized accordingly.

7. Develop an internal communication strategy

Outline a process for internal reporting to ensure that everyone from the response team is up-to-date, and on track during a breach.

Communication with all key stakeholders during a data breach is essential. The response plan should explain when and how the key stakeholders will be informed about the breach response, as well as any role they might play in the process.

The response plan should also identify who is responsible for disseminating information about a breach incident to other company representatives.

8. Develop an external communication strategy

Outline the strategy for communicating with the media and responding to external inquiries.

Depending on the size and scope of the data breach, you may need to report the breach to the media, and respond to external inquiries regarding the breach.

Identify who will be responsible for overseeing that process and for developing the external message about the breach.

This team member should be identifying the best notification and crisis management tactics before a breach occurs, and they should handle any media coverage, information leaks or negative press during the breach.

9. Conduct preparedness training

Practice and test your preparedness plan and perform regular reviews.

The data breach response team should make data breach security and breach preparedness a company-wide focus by providing department specific training.

Each team member has a responsibility to apply prevention and preparedness practices to their departments.

The response teams should also work with employees to integrate smart data security into their everyday work, they should develop policies for data security, online activity and mobile phones and communicate them to all associates, and they should conduct employee security training at least once a year.

In addition to preparedness training, it's the responsibility of the response teams to use the training exercises as an opportunity to improve the data breach response plan.

10. Prepare for the worst

Prepare for the worst so you are able to respond with your best.

Make sure everyone on your data breach response team understands their roles and responsibilities – both in preparing for and responding to a breach. The more your organization can do to prepare, the better off it will be in the months and years to come. 

Curious about what you can do to prevent Cyber Crime?

ohio-cyber-crime-prevention

We can help you recover from a data breach

While this 10-step plan may seem exhaustive, and like a lot of work on your part… it is.  And for good reason.

Businesses are operating in an environment where it’s not a matter of IF a data breach will occur, it’s only a matter of when.

We need to take reasonable measures to reduce the likelihood of a breach, but we also need to be realistic and understand that inevitably, we’ll all deal with a data breach at some point.

The two most important questions you need to answer as a business owner are:

  1. Will I know how to respond when a breach occurs?
  2. And will my business survive the devastating consequences of a data breach?

The planning you do today, the strategic partnerships you put in place, and the adequacy of your Cyber & Data Breach Insurance coverage are all critical components to confidently answering the question of ‘will my business survive after a data breach’ with a resounding 'ABSOLUTELY.'

We understand the negative effects a data breach can have on your organization, we’ve seen first-hand how it impacts clients.  We also know which insurance companies provide the broadest insurance coverage to help you recover after a breach occurs.

But we don’t stop there.

The best place to begin is with your own internal operations, the security measures you have in place, and the controls implemented to avert a data breach. To learn more about how we can help, download our Cyber & Data Breach Liability eBook, or if you need to get insurance coverage in place now, simply Request a Proposal and we’ll get to work right away.

 

Cyber & Data Liability Insurance eBook

Additional articles that may interest you:

Cyber Liability Claims Examples

I'm a cyber breach victim, now what?

A lesson from the Sony Data Breach

Cyber Insurance Coverage: Why Commercial General Liability isn't enough

Category: Cyber Liability Insurance (1)