In this wired world, a major data breach can wreak more havoc on your organization than a fire or flood. Learn how you can mitigate the damage from a data breach with a data breach incident response plan.
Find out more about business management
Great
by Tim Peterson, Esq.
An attorney with over 20 years of experience working in a variety of law firm and in-house positions, Tim Peterson sp...
Updated on: September 8, 2023 · 6 min read
A major data breach can be an existential threat to your organization. And even a minor data breach can cause embarrassment and turmoil, not to mention government scrutiny, litigation, and loss of trust and reputation for your organization.
As reported by the International Association of Privacy Professionals, the Ponemon Institute's 2018 Cost of a Data Breach Study "estimates the average cost of a data breach is USD $148 per record, or $3.86 million, which is a 4.8 percent increase over 2017." The U.S. has the highest per capita cost at $233, which does not include the effects on productivity and resources, delays in executing on a business's strategy, or lawsuits that could arise. The study also found that the "likelihood of a recurring material breach in the next two years is 27.9 percent."
The implementation of a data breach incident response plan sets into motion a preapproved and tested process to help mitigate the damages associated with a breach, and it will likely require involvement of individuals and departments throughout your organization. Training and resources available to businesses for helping ensure data privacy include those of the International Association of Privacy Professionals. To begin the process of setting up a data response plan, follow these steps.
An effective response to a data breach requires careful planning before the data breach occurs. Then, for any plan to succeed, the various parts of your organization will need to work in concert—and in their areas of expertise—on assigned tasks, as fallout from the breach unfolds. The involvement of senior management to formulate a planned response is crucial, as an ad hoc response to a data breach without senior leadership is a recipe for panic, chaos, and ultimately fiasco.
Some of the stakeholders who need to be brought in to develop a plan typically include:
Developing the plan will require close interaction and sign-off among the major stakeholders in your organization to form incident response teams. Once the plan is in place, it needs to be integrated within a broader business continuity plan, or BCP, which spells out an organization's response to disasters such as fires, floods, or acts of terrorism. A major data breach can cause organizational damage rivaling such disasters, so it is properly incorporated into the BCP.
The BCP sets out the roles and responsibilities for each stakeholder in the event of a data breach. Each stakeholder should have knowledge of the plan and be prepared to execute the plan prior to a data breach. Confusion over roles can lead to delays and mean the difference between a successful response and a failed one.
A typical data breach response plan will be incorporated into the organization's budget and should allow for threat detection and isolation, forensic investigation, engaging consultants and outside counsel, media outreach, reporting and notification to governmental authorities, and other related expenditures.
Once the data incident response plan is integrated within the BCP, stakeholders and employees should train for a data breach response. While this training may include workshops and other traditional training methods, "tabletop" exercises have increasingly been seen as a key component of best practices.
During a tabletop exercise, stakeholders and employees are presented with a simulated data breach and then they gather to discuss what they would do in such an event, while establishing roles and responsibilities. These tabletop exercises could take up to a half day or longer and should be conducted at least twice a year.
While tabletop exercises never quite capture the nuanced unpredictability (and adrenaline) of a real crisis, they do prove useful in getting an organization comfortable in responding to an actual data breach incident.
Once the data breach response plan is in place, it is important to keep it updated, not only due to changes in the technological and legal landscapes, but because lessons gleaned from tabletop exercises can unearth hidden vulnerabilities in a simulated response that should be corrected quickly. These lessons should be systematically documented.
All stakeholders and employees should be updated concerning changes in the plan, with changes being reflected in subsequent tabletop exercises.
A data breach incident can prove as challenging to a business as any natural disaster, but companies that plan for it by including data breach incident response within their BCPs have a better chance of riding out the storm and surviving a data breach incident.
You may also like
How to talk to your family about estate planning
Want to talk to your parents or grandparents about estate planning, but feel like the topic is taboo? You're not alone. Discussions about estate planning are difficult for many families. Use our tips to broach the subject with sensitivity.
May 17, 2023 · 2min read
How to Write a Will: A Comprehensive Guide to Will Writing
Writing a will is one of the most important things you can do for yourself and for your loved ones, and it can be done in just minutes. Are you ready to get started?
July 21, 2024 · 11min read
What Is a Power of Attorney (POA)? A Comprehensive Guide
A power of attorney can give trusted individuals the power to make decisions on your behalf—but only in certain situations.
August 29, 2024 · 20min read