Data Breach Response Plan: Does your company have one?
In a Ponemon Institute survey of 567 executives, 43 percent said their business had a data breach in 2014, a 10 percent increase over 2013.
The statistics of this survey show that data breach is becoming increasingly more common and costly.
Data breaches can be comprised of malicious attacks, accidental mistakes, and employee incompetence. Most organizations may not realize that confidential information can fall into the wrong hands via electronic file transfers, accessing lost or stolen devises, and hacker’s infiltration of company servers.
No matter the complexity of the data breach, dealing with the breach will be monumentally more challenging if you don’t already have a data breach response plan in place.
Here are a few tips:
thorough, extensive documentation of events leading up to and immediately following the discovery of the breach
clear and immediate communication with everyone in the company about what happened, and how they should respond to any external inquiries
immediate notification and activation of the designated response team, especially legal counsel, to determine whether law enforcement and/or other regulatory agencies need to be involved
identification of the cause of the breach and implementation of whatever steps are necessary to fix the problem
development of messaging and deployment schedule for notifying those whose data was compromised, based on counsel from lawyers who will review state laws, compliance regulations, and other mandates affecting what the messaging must say and how soon notification must occur, as well as what compensation to affected victims should be provided
Continually train employees on what to do during a data breach
Timely detection is key - “On the internet, a service outage of more than one hour is considered significant,” says an online article by security services company Veracode.com. The SANS research recommends that compromises are detected as early as possible in the attack lifecycle. Invest in containment and other technology that improves response times
Here are a few Resources if your company needs help developing a data breach response plan.
Data Breach Response Guide (Experian Data Breach Resolution Team)
Here is a comprehensive 30-page PDF that includes how to handle each step of the response process, as well as information about specific kinds of breaches such as healthcare breaches. It even includes an audit tool for you to use to check your current plan to make sure it’s as updated as it needs to be.
Security Breach Response Plan Toolkit (International Association of Privacy Professionals (IAPP))
Use this questionnaire to guide the development of your incident response plan. Involve your executive and IT team so everyone can better understand all facets of the process.
BBB Data Security Guide (Better Business Bureau)
Specifically designed for small businesses, the BBB provides a series of articles and resources to help companies understand the issues surrounding data security, as well as how to build a response plan.
Model Data Security Breach Preparedness Guide (American Bar Association)
For those with limited access to legal counsel, this PDF provides an overview from the legal perspective of how to prepare for a data breach. It obviously isn’t a substitute for seeking advice from a lawyer who knows or can learn the details of your specific situation as well as the laws that apply in your state and industry. However, it does provide some good general information that could help you launch a discussion with your legal team.
Be sure to enforce a security centered workplace environment. A culture of security from top level and down helps everyone remember the importance of adhering to company policy and procedure. And make sure to integrate information security policies such as secure document destruction and secure hard drive destruction, with a shred all policy in the workplace. All documents that are no longer needed should be deposited into locked consoles for secure onsite shredding.
Rock Solid Shredding provides customized paper and hard drive shredding services that assist businesses with complying with legislation while protecting information.
Contact them at 501.940.9900 or fill out the Contact Form.
Follow Rock Solid on Twitter. Like them on Facebook.