Data breaches and identity theft are becoming commonplace in today’s society. As individuals and companies race to secure their data, hackers are devising new ways to steal it.
The Identity Theft Resource Center reported a 126% increase in exposed consumer data in 2018. Now, more than ever, it’s important for businesses to plan for the unexpected. A data breach response plan can help companies prepare for a cyber emergency. They can avoid losing valuable data, damaging their reputations, or losing revenue.
Is your business ready to react efficiently in the face of a data emergency? Find out what you need to keep in mind before, during, and after a data breach below.
- Create a data breach response plan
- Choose teams in each department to identify, contain and recover from the breach
- Ensure IT resources are allocated to the most crucial departments
- Conduct company-wide awareness activities and drills annually
- Identify what type of breach has occurred
- Secure all data
- Change all passwords and encryption keys
- Clear malicious code from your systems
- Identify the source of the breach
- Alert the authorities and legal counsel
- Protect digital evidence found
- Notify data owners about the breach
- Activate public relations response teams (if needed)
- Fix vulnerabilities to prevent another breach
- Alter preparation plans for potential future breaches
What Is a Data Breach?
A data breach is the release of private, confidential or secure information to an untrusted environment. Data breaches can be intentional and unintentional and vary in severity. One of the first steps when developing a data breach response plan is defining what your organization considers a breach.
You will need to decide what level of severity will set your plan in action. A small breach (such as exposed information as a result of a phishing email) may not need a full-blown response. Attacks that cause a more serious disruption can also happen. These breaches may include widespread theft or exposure of sensitive information. Learn more about the different social engineering attacks here.
How to Respond to a Data Breach
If a data breach happens at your organization it’s important to have a plan set in place ahead of time to contain the situation. A data breach response plan provides your business with a detailed set of instructions to follow in the event of a security breach.
The plan should involve key members of your organization. This includes IT departments, public relations and digital marketing teams, legal and risk compliance teams as well as an executive sponsor. Set clear objectives and decide how each department will respond to a breach. Test and revise the plan annually or bi-annually to ensure its relevance.
Once you discover and identify a security breach, the data breach response plan can be set in motion. Your team members can then follow its steps to secure the situation and get the company back on track.
Preparation
1. Create a data breach response plan
An effective response plan includes steps designed to prepare your company for a cyber emergency. It also identifies the response team and lists actions to contain and recover from the event.
The intricacy of the data breach response plan will depend on the size of your business. You must also consider the number of possible threats and confidentiality of the information you store. If a cybersecurity breach has the potential to severely impact your business, your plan needs to be thorough.
You need to make key decisions ahead of time to avoid making them under pressure. All personnel involved with the plan should be well-informed and trained.
Choose teams in each department to identify, contain, and recover from the breach. Assign incident leads and ensure the correct IT resources are allocated to the most crucial aspects of the plan. Teams should include members that will handle customers, internal communication, and public relations.
3. Ensure IT resources are allocated to the most crucial departments
Key departments to involve include:
- Information Technology – Discovers and responds to the data breach.
- Legal and Compliance – Determines the data retention policies. Maintains compliance standards for records retention and informs the appropriate parties.
- Public Relations and Marketing – Leads customer identification and communications coordination efforts.
- Sales – Leads key relationship management.
- Executive – Coordinates high-level response efforts.
4. Conduct company-wide awareness activities and drills annually
Company-wide awareness activities and drills are important to conduct annually or bi-annually. That way nobody is caught off-guard if a breach occurs. A few different types of cybersecurity drills include:
- Employee awareness of common security breaches
- Security awareness training sessions
- Simulating cybersecurity incidents or phishing scams
- Tabletop exercises
Prevention is a major aspect of preparation. Take stock of weak points in your company’s security measures. Consider potential ways data could be compromised — then take steps to ensure these areas are secure. If you can prevent the breach from happening, you’re one step ahead.
Identification
5. Identify what type of breach has occurred:
-
Legally protected information
-
A material loss to the company
You should have determined what you consider a data breach ahead of time. If a breach occurs you will need to determine its severity and the best response plan.
What types of sensitive information does your company hold? Two types of data can be compromised in a data breach:
Incidents that involve legally protected information.
You often see this type of incident on the news. This includes customer health records, personal identification information (such as credit card numbers or social security numbers). The company is often legally required to inform their customers when a breach of this nature occurs.
In these cases, legal or outside counsel should identify required data retention and disclosure requirements. Different industries will have different reporting requirements. Some (such as retail and PCI compliance) must inform their customers. Others (such as healthcare and government) must inform the customers and governmental regulatory agencies. You will need to know which regulations apply to your business.
Incidents that involve a material loss to the company.
This type of data loss may not warrant a public announcement but can be damaging to the company itself. Material losses manifest differently across industries. They can include a compromise of sensitive information, trade secrets or intellectual property.
Material losses can also prevent your company from functioning properly. For example, an operational disruption or a compromised vendor network could impact your supply chain.
Containment 
6. Secure all data
Your recovery teams will need to take action to mitigate the impact of the breach as much as possible. This ensures that the breach does not spread and all data is secured.
7. Change all passwords and encryption keys
Put all affected machines, devices and systems on lockdown. Change any passwords or encryption keys immediately. As always, only use a trusted source and store this information securely.
8. Clear malicious code from your systems
If the breach involves any viruses or malicious code, allocate the resources needed to clear them from your system. This way, the company can begin to recover. This is one situation in which it’s important to have an effective backup strategy for your digital information. This kind of strategy can save you time and help you determine the best course of action.
For example, if data is breached with a ransomware attack, the most effective response is not to pay the ransom for the release of data. You should roll the IT state back to the most recent copy of the data, thus restoring its operational state. Data will still be compromised, but you will be able to analyze what was taken. You can also determine your next move and maintain operations.
Investigation
9. Identify the source of the breach
Once you contain the breach, your team should investigate its potential cause. Be sure to document all investigation and mitigation efforts carefully. Record all interviews with internal and external personnel and update legal teams often.
If you need to call in outside help, now is the time. You will likely need to involve law enforcement. Consult with your executive leadership teams and legal counsel to determine any additional response teams needed.
11. Protect digital evidence found
Recovery
12. Notify data owners about the breach
When you contain the breach and investigations are underway, you can put your restoration plan into action. You may need to notify data owners. This includes customers or employees. Let them know that their information was compromised. Notify them as soon as possible so that they can take the necessary steps to protect themselves.
Taking it a step further, it’s important to consider ways to make the situation right in the eyes of the victims. This means going beyond regulations and considering ethical steps your company can take to ensure their well-being.
You can pay for additional monitoring, an identity protection plan or security software for the victims. This shows that you are doing something to remedy the issue rather than simply reporting it.
13. Activate public relations response teams (if needed)
The FTC has a wonderful model letter template. It explains what happened and what information was compromised. It also covers what the company has done to stop it and what users can do to protect themselves.
Learning Lessons
14. Fix vulnerabilities to prevent another breach
You may choose to segment your network so that a future breach in one sector won’t expose sensitive information in another sector. Work with your team to find out what weak points in security made this breach possible. This can include reviewing logs and who had access to the appropriate information. Take the recommended measures to ensure networks continue to be secure.
Make sure your teams are leveraging the most updated antivirus and WiFi security protection software. Consider using a tool like Aura to protect your data and devices.
15. Alter preparation plans for potential future breaches
You will also likely want to review your data retention policies and adjusting them. For example, you may only be required to maintain 3 years of ex-customer records. Maintaining 10 years s unnecessarily exposes the company to more risk.
Your IT and compliance teams should come together and determine the lowest amount of customer or other data to retain. Remember that some industries are regulated and you must retain data in some cases.
At this point, your prevention or preparation plans may need altering for potential future breaches. Do so with the knowledge gained from your investigation.
Considerations When Responding to a Data Breach
There are some key factors to take into consideration when planning for a potential data breach. You will want to ensure:
- Senior management is supportive. Support from all senior management teams is essential for the success of your response plan. They can help you gain access to information you may not have readily available and ensure that all departments are on board and well informed.
- The plan is simple and straightforward. Everyone should know their role and there should be no confusion as to how to deploy the response strategies.
- Communication is continuous. Not only within the company but with those whose data has been compromised. Recovery will depend on the trust you gain while the incident occurs.
- You review and test the plan often. You should be constantly looking for holes or discrepancies in the plan so that they can be fixed preemptively. The plan will be worthless if it is irrelevant or ineffective.
To sum things up, you can avoid many negative effects of a security or data breach by preparing. Consequences can include loss of productivity and revenue or damage to trust or reputation. If your team remains flexible and agile during this type of disaster you will enjoy the best possible outcomes. Keeping this in mind, it’s never too early to start thinking about preparing for a data breach.
