What Is Your Data Breach Response Plan?
By Rich Blumberg
Businesses would prefer to avoid the attention of cyber hackers, of course, but it seems just about every organization is in the crosshairs these days. As the number of breaches continues to rise, the prudent strategy is for firms to not only work diligently to prevent an intrusion, but also to have a plan in place to respond quickly and effectively if they suspect their information has been compromised. A data breach response plan proactively outlines the necessary actions a business must take, providing a framework that can be regularly matched against emerging risks and updated if the firm’s situation changes—additional staff are added in key data privacy or technology roles, or partnerships are formed that could change the way sensitive information is processed, for example.
Developing a data breach response plan, one that isn’t overly complicated but is instead easy to follow and quick to implement, gives businesses the opportunity to prepare the necessary resources ahead of time and mitigate the damage an exposure can inflict. Leaving key tasks to the last minute, such as scrambling to identify qualified outside legal counsel, is unwise and can significantly impact the timeliness and expense of a breach response. Likewise, hastily pulling the plug on a single server without seeking guidance from an experienced technology expert may not shut down the unauthorized access that caused the exposure, thus leaving the business open to further harm. Worse, it may even erase key information a computer forensics company may need to assist the investigation. Getting the firm’s ducks in a row in advance of any breach is a far more effective strategy.
Tap into additional resources
One component of many small business breach response plans is accessing the financial and technical support available through a well-structured cyber liability insurance policy. Coverage options vary widely, so businesses – or its insurance broker, must carefully examine their needs before choosing a policy. For those firms with lean internal resources and thin financial margins, the right cyber liability coverage can be a key asset when it comes to implementing a solid breach response plan.
Begin by assembling the team
Who needs to be involved in responding to a breach? Before attempting to pull together more than a cursory list of post-exposure action items, it’s first critical that the firm identify those individuals or groups that should be contacted in the event of a potential breach. The team will vary from one business to the next, but most organizations will want to include representatives from the executive group, legal (either internal or an outside consultant), privacy or information security, risk management, information technology, human resources and public relations.
Given the growing reliance on external partners—cloud providers, payroll processors and the like—firms should also consider where vendor touch points exist and how or when those third parties will contribute to the breach response process. They may need to be included on the contact list or they may even be responsible for raising the initial alarm if a breach occurs. It’s also important to ensure vendor contracts clearly spell out the company responsible when a breach occurs and who is liable for notifying those impacted. Other vendors are also commonly part of the response team, such as media relations consultants experienced in crisis management and notification firms with the resources necessary to quickly inform breach victims about the situation.
If the business has cyber liability coverage, the insurance company should also be part of the breach response plan. There are support services included in many policies that will be helpful in the event of an exposure, ranging from forensic investigation teams to data recovery specialists. To maximize the value of any applicable coverage, firms must be ready to access available features quickly and through the most efficient channels.
Consider where legal obligations exist
There are likely laws, rules or regulations that will influence how a business’s incident response plan is designed and implemented. Some of these data breach laws could be at the state level while others at the federal level might also apply. Often these laws cover how and when breach victims are to be notified—timeframes are strict in many instances, so understanding all obligations in detail and incorporating them into the response plan is important if the plan is to be deployed effectively.
Those businesses that handle particular types of data, such as financial information, personally identifiable information or medical data, may have additional mandates that will guide their breach response actions. It may be necessary to notify one or more regulatory agencies or other oversight groups. Reporting of the incident may be required in one form or another, with a provision for investigative findings to be forwarded for review once the incident has been scrutinized and determinations on cause and scope have been made.
Create the action steps
With the team in place, it’s time to identify the steps that must be taken if a breach occurs. These action items should be general enough to accommodate a range of breach types and triggers. For example, one step may be to shut down access to any compromised technology, whether that’s an unsecured Wi-Fi access point or a breached server. Or the response plan may involve halting a check run if it’s discovered that personalized inserts don’t match the address on the outside of the envelope. Generally the action steps will entail a cursory investigation to find the cause of the breach, doing what’s necessary to quickly plug the leak, and then look for solutions to minimize harm while notifying victims. Communication channels should also be delineated, identifying who is responsible for initiating the response plan and which functional area(s) will coordinate the activities of any third-party vendors. This ensures the right outside experts are ready to go on short notice and also avoids any time- and money-wasting duplication of efforts across the various sub-teams.
A breach response plan should be considered a living document. The first way to make it better is to test it using what’s called a table-top exercise. In this exercise, the breach team is brought together and is presented with a breach scenario so everyone can run through their action items. Glitches can then be noted, solutions developed and the plan amended. Regular reviews should also be conducted so that updated processes and new threats can all be addressed.
The importance of putting a framework around these action steps can’t be understated. A swift and effective breach response may mean the difference between managing the post-exposure situation in a way that mitigates harm to breach victims as well as the business itself, or bumbling through the process with missed regulatory deadlines, increasingly unhappy (and potentially litigious) victims and the company facing a host of ongoing reputational and financial damage.
Rich Blumberg is a business development director for CyberScout.