A major data breach can be an existential threat to your organization. And even a minor data breach can cause embarrassment and turmoil, not to mention government scrutiny, litigation, and loss of trust and reputation for your organization.
As reported by the International Association of Privacy Professionals, the Ponemon Institute's 2018 Cost of a Data Breach Study "estimates the average cost of a data breach is USD $148 per record, or $3.86 million, which is a 4.8 percent increase over 2017." The U.S. has the highest per capita cost at $233, which does not include the effects on productivity and resources, delays in executing on a business's strategy, or lawsuits that could arise. The study also found that the "likelihood of a recurring material breach in the next two years is 27.9 percent."
The implementation of a data breach incident response plan sets into motion a preapproved and tested process to help mitigate the damages associated with a breach, and it will likely require involvement of individuals and departments throughout your organization. Training and resources available to businesses for helping ensure data privacy include those of the International Association of Privacy Professionals. To begin the process of setting up a data response plan, follow these steps.
1. Plan around the stakeholders.
An effective response to a data breach requires careful planning before the data breach occurs. Then, for any plan to succeed, the various parts of your organization will need to work in concert—and in their areas of expertise—on assigned tasks, as fallout from the breach unfolds. The involvement of senior management to formulate a planned response is crucial, as an ad hoc response to a data breach without senior leadership is a recipe for panic, chaos, and ultimately fiasco.
Some of the stakeholders who need to be brought in to develop a plan typically include:
- CIO and information technology team. Your IT staff—with their technical expertise and ability to monitor, assess, and mitigate damage from the data breach—are at the forefront of any response. They will collect information, analyze compromised data, identify vulnerabilities, isolate affected systems, determine whether third parties were affected, restore compromised data, and support a forensic investigation of any data breach incident.
- Legal and compliance. With a complex web of different privacy regulations spread across the world, a legal misstep in a data breach could invite governmental scrutiny, fines, and even litigation. Prior to a data breach, your legal team interacts with business partners to negotiate breach-related terms for both data belonging to the organization and data belonging to business partners. After a breach occurs, legal will be responsible for communicating with law enforcement and government agencies, as well as with business partners.
- Human resources and unions. Your organization's HR department is crucial in communicating privacy requirements and data-handling to employees. HR also is responsible for communicating with employees—both current and past, as necessary—about a data breach incident. If your organization is unionized, close consultation with union leadership in developing the plan helps ensure unionized employees know their roles and responsibilities in any data breach incident response.
- Sales and marketing. Customer databases are often attractive targets for hacking and data breaches, so sales and marketing will often be the most directly affected groups within your organization. Marketing may be tasked with working with your corporate communications team to craft consumer-facing communications consistent with the overall tone and message of your organization in the wake of a data breach.
- Business development. Business development personnel monitor critical business relationships. During a data breach incident, business development may be tasked with conveying the unfavorable news of a breach of data belonging to a client.
- Finance. Data breaches can be expensive. Finance personnel budget and advocate reserves for prevention, employee training, and incident response—helping prevent budget infighting should a data breach incident require a major and unexpected outlay of funds previously allocated to other departments. Also, your finance department will work with insurance carriers to negotiate terms of general liability and "cyber insurance" coverage, as well as working with insurers to file a claim, should a data breach incident occur.
- Communications and public relations. A critical component of any crisis is making sure a consistent message is conveyed to the media and the public. As stewards of your organization's image, your communications team will interact with media outlets—including via social media—to help ensure the accuracy of news reports and shoot down the inevitable false rumors.
- President/CEO. Considering the stakes and resources involved, getting senior leadership backing for a data breach incident response plan is crucial for the plan's implementation and success. Employees take cues from top executives and know whether your organization truly values developing the plan by the attention and resources devoted to it by the leaders of your organization. During a data breach, the President or CEO will be the public face of the organization and should work with the communications team to develop a consistent message to maximize trust and minimize reputational damage.
2. Develop and integrate the data breach incident response plan.
Developing the plan will require close interaction and sign-off among the major stakeholders in your organization to form incident response teams. Once the plan is in place, it needs to be integrated within a broader business continuity plan, or BCP, which spells out an organization's response to disasters such as fires, floods, or acts of terrorism. A major data breach can cause organizational damage rivaling such disasters, so it is properly incorporated into the BCP.
The BCP sets out the roles and responsibilities for each stakeholder in the event of a data breach. Each stakeholder should have knowledge of the plan and be prepared to execute the plan prior to a data breach. Confusion over roles can lead to delays and mean the difference between a successful response and a failed one.
A typical data breach response plan will be incorporated into the organization's budget and should allow for threat detection and isolation, forensic investigation, engaging consultants and outside counsel, media outreach, reporting and notification to governmental authorities, and other related expenditures.
3. Train your team and test the plan.
Once the data incident response plan is integrated within the BCP, stakeholders and employees should train for a data breach response. While this training may include workshops and other traditional training methods, "tabletop" exercises have increasingly been seen as a key component of best practices.
During a tabletop exercise, stakeholders and employees are presented with a simulated data breach and then they gather to discuss what they would do in such an event, while establishing roles and responsibilities. These tabletop exercises could take up to a half day or longer and should be conducted at least twice a year.
While tabletop exercises never quite capture the nuanced unpredictability (and adrenaline) of a real crisis, they do prove useful in getting an organization comfortable in responding to an actual data breach incident.
4. Update the data breach incident response plan.
Once the data breach response plan is in place, it is important to keep it updated, not only due to changes in the technological and legal landscapes, but because lessons gleaned from tabletop exercises can unearth hidden vulnerabilities in a simulated response that should be corrected quickly. These lessons should be systematically documented.
All stakeholders and employees should be updated concerning changes in the plan, with changes being reflected in subsequent tabletop exercises.
A data breach incident can prove as challenging to a business as any natural disaster, but companies that plan for it by including data breach incident response within their BCPs have a better chance of riding out the storm and surviving a data breach incident.