How to Craft a Data Breach Incident Response Plan for Your Firm
Don’t panic! A big mistake many businesses and organizations make is to let the stress of the data breach break down segregation of duties and the infrastructure of command. Right now is the time to fall back on your “data breach incident response plan,” as well as the associated training you and your employees have undertaken, so that you are prepared to handle the data breach in a calm and cool manner.
What exactly is a data breach incident response plan? This plan, or written policy, is a series of protocols and assigned duties for various organization staff in the event of a data breach. The goal is to minimize public relations snafus, provide for efficient reporting to the appropriate agencies at the appropriate times, allow for collection of pertinent information and evidence of the data breach, and minimize risk and damage to the organization and/or its employees/customers.
Simply creating a data breach incident response plan is a good start, but it is not enough. A business or organization’s staff must receive training and practice, in order to prepare for and effectively execute the protocols in the plan. A very useful method of practice is for an organization to run a table top exercise, assigning roles to various employees and running through a hypothetical data breach to see how prepared the organization really is in the event of a data breach incident.
Some essentials that should be in every data breach readiness plan and put to use in any data breach are the following:
1. Assign a single point of contact, who is adequately informed about the details of the breach, to be responsible for communicating with the media and outside entities. Having just one point of contact for public relations helps ensure there are no conflicting messages being given to the public and that only the proper information is divulged at the appropriate time. Too many individuals talking to the media or general public at the same time can create embarrassment for the organization, due to conflicting messages or information being released, of which the organization had not intended to be released. This individual will know it is important to understand exactly what message the organization wants to convey before making any contact with the media or local agencies. This individual may also be the point of contact for law enforcement. However, it may be a good idea to also have someone, who is more familiar with the technical aspects of the data breach, available to work with law enforcement. This will help law enforcement adequately investigate the data breach incident and avoid wasting the time of owners or executives who may not understand the mechanics of the data breach.
2. Establish a data logging and protection protocol in the event of a data breach. When a breach occurs, it is extremely important to be able to shut down the unauthorized flow of information that’s leaking out of the breached entity. Both electronic and paper breach readiness plans should also have protocols in place to quickly determine exactly what information was compromised, as well as how it was compromised.
3. Assess what data breach notification laws apply to your data breach. Use the information gathered from the data logging and protection protocols to determine the nature of the information compromised and the associated risk or danger to the entity, its employees, or its customers. While compromised intellectual property can be extremely devastating to any entity, this information may not trigger a data breach notification law. Breaches of a customer personally identifying information will likely trigger a data breach notification law, should the state or territory have one. Hire outside counsel or carefully review the data breach notification laws that apply to your breach. Also, be sure to comply with any and all notification requirements, in order to avoid penalties or other damages.
4. Stay in communication with the victims of the data breach. This is an opportunity for the entity to show its character, in how it will stand by its customers, during an adverse situation. Customers obviously will never be happy to discover their sensitive information was compromised, but they will remember how the breached entity responded to the incident – good or bad. Staying in communication with the victims, helping guide them in what they should do to protect themselves, providing prompt assistance to customers who would like to change their account information or have other requests, and conveying an apologetic and understanding message, can do wonders in mitigating the negative fallout in reputation that is often associated with data breaches.
It is important to understand that we live in a time where data breaches are becoming more and more commonplace. Business owners, executives, and especially employees, must appreciate the necessity of a data breach readiness plan and the training that should go along with it. If handled well, a data breach may be a chance for an entity to show its loyalty and dedication to its customers, potentially increasing customer appreciation and brand reputation.