[BreachExchange] Assembling Your Company's Data Breach Response Plan

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 9 13:59:01 EST 2016


http://www.lexology.com/library/detail.aspx?g=5203afc8-4e51-4856-bad8-
bb050057a50f

No matter how carefully, thoughtfully and diligently a company works to
prevent it, data breaches happen. Company management, IT teams and outside
consultants can do everything right and still end up dealing with a breach.
That means that knowing how to best respond when (not if) a breach happens
should be part of every company’s data protection strategy.

We recommend that every company assemble a security breach team, consisting
of individuals inside and outside of the organization who possess different
skill sets. This may include technology officers, as well as staff from IT,
human resources, communications, legal departments, outside counsel, and
outside vendors. The composition of the team will depend on the type and
size of the organization, but each member should be in a position and have
skills that enable the organization to quickly and properly respond to an
incident. The team must also be equipped, authorized and empowered to
evaluate and immediately react to an incident once it has occurred.

Each individual on a security response team should have a clear
understanding of their role and responsibilities before, during and after
an incident. Having a detailed plan in place will increase the likelihood
that the damage resulting from a breach can be contained. Including a list
of key contacts and contact information will ensure that the plan is put
into action without delay. That plan must be maintained over time, and
inside or outside counsel should be consulted on the often-changing
landscape of breach response requirements.

Assembling a breach response team and creating a plan are only the first
steps. The plan must be written, accessible, and practiced to ensure an
effective response under pressure. By failing to keep a hard copy of a
breach response plan many businesses are surprised to find it inaccessible
because the breach has impacted the company's computer system. Tabletop
breach exercises are another necessary but often-forgotten step to ensuring
your team is not carrying out a breach response together for the first time.

When responding to a data breach, the team should take steps to both stop
and repair the breach, as well as investigate how and why it occurred. The
incident should be fully documented during this process, and steps should
be taken to ensure the confidentiality of information. Depending on the
nature of the breach, law enforcement may be able to help in the
investigation.

If an incident is impacting a business’ operations, the impacted systems
should be isolated from other network systems in order to mitigate the
damage. If a breach is not causing ongoing harm, the best course of action
may be to monitor the situation closely while the root cause and extent of
damage from the breach can be investigated. Throughout this process,
members of the security response team should have a clear understanding of
their roles and responsibilities, and remain in close contact and
communication with others within the organization.

Concurrently with its breach investigation, a company and its security
response team must determine its breach notification requirements. Every
state has data breach notification requirements that depend on the
individuals affected and the type of information subject to the breach, but
states' requirements vary drastically. Some states may require reporting
the breach to an agency or the credit bureaus. Some states also require
that individuals affected by a breach receive certain information or
identity monitoring services.

In general, an incident should be reported to law enforcement if it appears
to be malicious and involve criminal activity. In some instances, depending
on the type of company and industry involved, reporting is mandatory.
Breaches of health care information, for example, must be reported by
HIPAA-covered entities. A privacy attorney should be a part of your team.
This attorney can advise regarding which notifications are required and
recommended.

Moreover, data security breaches are increasingly leading to litigation.
More and more class action lawsuits are being filed against companies when
sensitive consumer or patient information is exposed. Therefore, in the
event of a breach, security response teams must carefully document their
investigations in order to ensure the quality and admissibility of evidence
in court. Part of every data breach incident plan should be guidelines on
how to preserve and protect evidence.

Data security is an increasingly important issue for companies of all types
and sizes. Creating a detailed plan that addresses how an incident should
be remediated and investigated from start to finish will go a long way to
mitigate damage from a breach. Creating a security response team that is
knowledgeable, well-trained and well-equipped to deal with an incident is
the first and most important step that any company can take to prepare.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161209/0dc7a82c/attachment.html>


More information about the BreachExchange mailing list