Data Breach Response Planning: A Guide

Data breaches don’t seem to attract our attention much these days; commonplace activities often lead to complacency. Remember that your organization will, if it has not already, have some type of data breach. Depending on the type and scope of the data breach, costs can quickly reach millions of dollars. This is an event you should have a specific plan for – at a minimum, you should include a detailed section in your Crisis Management Plan.

Here are the minimum items to consider:

1. Response Team

This is the team that will monitor and manage the event itself, not the individuals performing any investigative or forensic tasks. Often this team will be composed of senior leadership who have a corporate or organizational view of impacts. Others may be brought in to provide support or information. The roles to be filled for this team are:

• Leader. Provides direction and facilitates activities.
• Logistics. Ensures that the needs of the team and others working the event are met. Think in terms of food, accommodations, travel, etc. Also, this role can include administrative support for the team, such as tracking action items and status.
• Communications. Provides for the coordination of all communications from the team, both internal and external.
• Legal/Regulatory. Provides legal and regulatory insight and recommendations.
• IT Technical (Security, Network, Server, Storage, Applications). Provides impact information and insight related to both the technical aspects and status of the event. Also provides information regarding potential impacts to the processing environment depending on decisions and actions taken.
• Functional Business Unit Representation. Provides insight into impacts on business units. There does not need to be a representative for every business unit in the organization, but ensure that there is at least some level of business function knowledge

2. Incident Notification

There are two aspects to notification:

• Management notification. Management is notified of a breach or potential breach. Train everyone in your organization to report any potential data issue immediately to their supervisor. “Bad news does not get better with time.”
• Stakeholder notification. Notification to stakeholders when a breach or potential breach has occurred. Determine the stakeholders who need to be notified and when. This includes internal stakeholders (staff, contractors, etc.), external partners (vendors, law enforcement, regulatory agencies, insurance providers, etc.), customers and/or clients, and the public. You must also determine what your requirements for reporting are.

3. Investigations

The investigation has two parts; the IT and the non-IT portions. The IT portion will include the use of forensics and may require assistance from outside firms. Confer with law enforcement, they may be a valuable resource for guidance and information in the investigation. The non-IT portion of the investigation includes identifying any motives to commit the breach (what the compromised information might be used for) and the organization’s communications records.

4. Internal Communications Plan

Prepare the initial communication to internal stakeholders. This may not include all details until the cause and perpetrators are identified, but should let staff know about the issue, as well as provding them with a reminder of policies and procedures on communications to the public and any record retention needs for the investigation.  Include a communication schedule in your plan. Even communicating that there is no update is better than silence. With no information, people’s imagination or perception becomes their reality.

• Include both oral and written communication templates and wording.
• Identify the external stakeholder and public notifications required, and the schedule or milestones for initial and updated communications.
• Consider the use of social media. It is now often the first source of information for many people. Whether your organization decides to use social media as part of its communications plan or not, you should at least be monitoring social media outlets for mentions of the event. Plan a swift and helpful response if that does occur. It’s important to be proactive.

5. Notifying the Public

Communicate the potential harm, both current and future, the type of data or information impacted, and recommended actions. Provide information on how you will assist those affected going forward.

Use your media relations or corporate communications team, or consider using a third party for advice, to develop your media communications during the event.

6. Remediation

Following the investigation and subsequent identification of the cause of the breach, you will need to remediate any identified gaps.

Areas to consider:

• Provide privacy monitoring or protection services to victims.
• Conduct regular external audits of your security and data protection.
• Conduct intrusion detection exercise using a third party (a proactive “data breach”).
• Update policies and procedures for control and access of data on an annual basis.
• Provide regular training or communication on proper behaviors related to data and privacy.

Event occurrence is not the time to figure out what to do; you should have a checklist of planned action steps to guide your response. Preparing for this eventual occurrence is not optional any longer.