Why You Need a Data Breach Response Plan and How to Make One

Why You Need a Data Breach Response Plan and How to Make One

November 17

Note: A version of this article also appears on Windows IT Pro.

I probably don’t need to tell you how important it is to prepare for data breaches. Headlines about breaches that affected Target and The Home Depot should be enough to scare you, but let’s look at some facts anyway:

  • In a Ponemon Institute survey of 567 executives, 43 percent said their business had a data breach in 2014, a 10 percent increase over 2013.
  • IBM’s 2014 Cost of Data Breach Study found that the average cost of a single lost or stolen record was $201.

These statistics suggest two things: data breach is increasingly more common and it’s costly.

But there is some good news. Businesses with data breach response plans and teams in place have increased from 61 percent last year to 73 percent this year. Businesses are taking note of these breaches and preparing. Plus, the companies that do have these response teams in place often greatly reduce the cost of individual stolen records. As the Ponemon study notes, businesses with formal data breach response plans decrease the cost of data breach by an average of $17 per lost record. This can save thousands of dollars for a single breach event.

The moral? Get your response plan and team together.

Assemble your data breach response team

A data breach response taskforce needs a few different people. You’ll want to include business leaders, CEOs, PR people, IT people, and anyone internally who would need to be there to quickly resolve a data breach issue. They should be ready to respond quickly and at any time. Your business’s reputation and your clients’ information depend on your ability to quickly resolve problems.

Find the key people, and make sure they understand what is expected of them if there is a data breach. IT people need to be ready fix the network end of the issue and PR people will need to be ready to deal with the people affected—everybody has a job to do. Before you create the plan itself, it’s useful to discuss what causes data breach.

Understand data breach and causes

As we noted in a recent post on user error, people and processes are the top cause of critical support cases brought to Microsoft. Any data breaches you experience will probably be the result of some combination of people, processes, and technology. People can include anyone at your organization, even previous employees (who can essentially still hold the keys to your kingdom, so to speak) and vendors you work with. Technology and processes include how you obtain and secure information. Remember that it’s not always digital information, either. There are probably plenty of physical documents that contain sensitive information as well, and these can also fall into the wrong hands.

There can be security flaws at every level, and people themselves aren’t perfect, so it can be fairly tough to know where a breach will come from if it does. Making sure you’re as secure as possible in all facets is essential to keeping data secure, part of that involves making sure you know what types of data you’ve got.

Complete a data assessment

Now that you know a few areas where breaches can occur, you’ll want to identify all of the types of data at your organization. Some of it is innocuous— it might not matter if, say, one of your marketing writer’s Word docs gets into the wrong hand, but you definitely don’t want someone getting a hold of a customer’s financial data. Take an inventory of types of data you’ve got, where the data is stored (in some cases a third party might even handle certain things), and what the financial risk of losing that data is. An article from Entrepreneur also suggests getting rid of data you no longer need. It’s easier to keep track of what you’ve got when it’s scaled down and manageable.

In addition, it’s also useful to consider things like cyber-insurance and to look at your business’s current insurance policy—does it cover cyber/network liability?

Protect critical data

Publicized data breaches seem to always be larger companies, many of which are retailers. But smaller companies are at risk too, particularly those in the healthcare industry. A report from the Identity Theft Resource Center revealed that the healthcare sector generated nearly 44 percent of all breaches in 2013, higher than any other sector.

Crime is often an act of opportunity and the last thing you want to do is to make it easy for a hacker to swipe your stuff, so ask yourself:  Is everything that needs to be behind firewalls behind them? Is financial data being obtained and stored in a safe way? Do only those who need access to it have access to it? What can you do to beef up security? Your best line of defense against a data breach is total avoidance.

Create a response plan

What will you do if/when there is a breach? There are a few categories to think about as you develop your response plan, these are things you’ll want to know the answers to before something happens.

What was the source of the breach? You need to find out how you’ll determine where the breach came from. If something happens, you need to identify issues and fix them to prevent more data leakage from happening.

Who should you contact? You need protocols for how people at your organization will communicate if there’s a breach. Who should call who first? What’s the quickest way to spread the news to your response team that a breach has occurred? Text message? Email? Phone call? Discuss with your response team how you’ll get everyone on the same page quickly.

Your response team will then have to get people outside of the organization involved, namely law enforcement and clients. Each state has different laws governing how to notify people of a data breach. (The National Conference of State Legislatures has them conveniently listed here), but in most of these cases, the law will require that law enforcement officials and the affected customers be notified in a timely manner, but check your local laws to make sure you’re doing things properly.

The most essential thing here is to make sure you’ve alerted people quickly. The more time you waste, the more problems can occur as a result of the breach so be sure law enforcement is notified, and customers who were affected know what to expect.

How will you resolve the issues with your customers? This part is crucial. Customers lose faith in you if you can’t keep their data secure. If it falls in the wrong hands, what can you possibly do to make up for it? There are different ways to resolve the problem, but one example is what The Home Depot did after their recent breach. After thousands of credit card numbers were stolen, they made it clear in a statement that their customers would not be liable for fraudulent charges on their accounts, and even offered free identity protection services for affected customers. They also reported that they had increased security on point-of-sales systems, which are, at least for now, fully secure.

Your individual case might be different, but the important thing is that your clients know what happened, what you’ve done to fix it, what you’re continuing to do to make sure it doesn’t happen again, and what sort of compensation (if any) they get for being affected. This is something for CEOs and decision-makers to decide if it ever occurs, but it’s useful to have some ideas at the ready so you can act fast.

Do it now

The tough fact is that data breach will be expensive and can be damaging to your reputation. Doing whatever you can to avoid it ahead of time is an essential part of any business plan. Take some time today to get the ball rolling on a response plan, but also make sure you’re doing all in your power to keep data you’ve got as protected is possible. With any luck, you might never need to use your response plan at all.

Photo Credit: Chris Violette via Flickr