Just as important as it is to have a cybersecurity plan and protocols in place, it’s critical to have a Data Breach Response Plan ready to go in case you need it. In the heat of the crisis, you don’t want to forget critical steps or make mistakes. When a breach happens, the actions you take – or don’t take – can have irreparable consequences.
First, make sure your cybersecurity monitoring and data collection comply with all applicable laws. Make sure your policies detail what you need to keep, delete, and/or process data if you capture it. You should get a professional assessment and a legal review of your policies and protocols. Once that’s done, crafting your Data Breach Response Plan can help minimize the damage, aid recovery time, mitigate costs, and protect you legally.
Stronger Data Security – Safeguarding Rules and Regulations
In the U.S., 48 states, plus Guam, Puerto Rico, the Virgin Islands, and the District of Columbia, have state laws requiring companies or government agencies to notify individuals in the event of a security breach that results in the release of personal, identifiable information. In addition, there are federal laws governing data breaches and what steps to take in the event of a violation, especially with financial information or health information under HIPAA (Health Insurance Portability and Accountability Act).
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets federal privacy law for companies and details compliance, reporting, and investigations. Most provinces have their own privacy standards regarding data breaches.
The European Union’s General Data Protection Regulation (GDPR), effective May 25, 2018, calls for more stringent requirements on safeguarding personal data. Companies that fail to comply face stiff fines and penalties. Compliance assessments are taken immediately after a data breach of personal information. That’s where a robust Data Breach Response Plan will be essential. Even companies outside the E.U. may very well have to comply with the standards set if they do business or interact with E.U. residents, customers, or business.
Seven Steps To Crafting A Data Breach Response Plan
1. Clearly Define Objectives
It may sound simplistic, but you will need to define what constitutes a data breach that dictates action and then outline your data breach response. Consider multiple levels of engagement, with clearly defined actions to be taken for different types of intrusions. In this case, one size does not fit all. You should know what steps must be taken immediately to contain the breach and mitigate any further damage. There should be no question from your team of what to do when time is of the essence.
- United States
The National Institute of Standards and Technology in conjunction with the U.S. Department of Commerce has specific recommendations on handling computer security incidents. - Canada
Refer to the Office of the Privacy Commissioner of Canada’s PIPEDA compliance toolkit for business for strategies and recommendations. - European Union
The European Union Agency for Network and Information Security (ENISA) requires Computer Security and Incident Response Team (CSIRT) at companies.
2. Create Your Team And Assign Roles
- Define the team members that will respond in case of a breach. Your plan should detail not only what each employee will do, but set timelines and task priorities. Whether you have a Chief Compliance Officer or not, someone needs to be charged with the overarching responsibility when a breach occurs.
- Defined roles, with a written plan, are the key to a successful Data Breach Response Plan.
3. Set Key Performance Indicators
- While dealing with a breach is the immediate problem, the goal of any plan is to prevent future violations. Before a crisis moment, you should establish specific KPIs to measure when an incident happens. What is the expected response time? Who gets notified of a breach? What steps are taken immediately? Not only should each task be detailed in the plan, but there needs to be a way to measure performance of them to properly evaluate response steps, and refine the strategy.
- If possible, have a separate person or team responsible for investigating the breach and response after the incident occurs.
4. Professional And Legal Review
- Just as with your Monitoring and Data Retention policies, your Data Breach Response Plan needs a professional review and a legal review to make sure you comply with all applicable laws. As laws are changing routinely, it is vital to do compliance reviews regularly.
5. Create An Internal And External Communications Plan
- The Incident Response plan can’t be limited to key personnel, such as the IT team. It needs to be standard practice for the entire company so that every employee knows the importance of the plan, what role they play to safeguard data and what to do in the event of a breach. Your plan will likely include instructions for critical managers or even every employee. The executive management team must be involved as they may have liability and fiduciary responsibility.
- In the event of an incident, you should have written procedures on notifications (who, what, and when) and a public relations plan for the media and affected public if necessary.
6. Test, Test, Test
- System stress testing is critical. It should happen on the front-end and back-end. Testing helps identify holes in your data protection strategy and flaws in your Data Breach Response Plan. Since technology and software are always evolving, it’s essential to do this on a scheduled basis. Doing so may also help you mitigate damage if there is a legal liability.
7. Review And Revise
- In addition to tech and software evolution, cybercriminals are evolving as well. Between ransomware, phishing schemes, and malware, new threats manifest every day. One estimate puts the number of new malware samples being produced at 230,000 every day. With this in mind, it is also unsettling to note that internal non-compliance can defeat even the best security plans. More than 60% of all breaches and network intrusions are from user credentials that are compromised. In other words, things are always changing. Hackers find new ways around your security when people get sloppy. That means regular reviews and revisions are imperative.
Protect Yourself Against Breaches
The potential cost of cyber-crime globally is staggering. Microsoft pegs the risk at half a trillion dollars. In addition to a $500 billion price tag, the average company will spend $3.8 million to recover from a major data breach.
For nearly all companies, a breach of some sort is almost inevitable. Make sure your plan is detailed and regularly reviewed. Consider consulting with cybersecurity specialists about data breach response services.