SuzanneWidup.com

The worst has happened—your company has suffered a data breach.  Now what do you do?  Was the data credit cards?  Social Security numbers? Medical information?  Which laws apply?  How will your customers/stockholders/employees/patients perceive this event?  What services should you offer to help mitigate the damage?  Who in the organization should make these decisions?  These are the types of questions that should be settled ahead of the incident, not in the heat of the moment when the media is camped outside the corporate offices.

Contingency planning for a data breach event should be viewed as a subset of the organization’s Incident Response Plan.  This plan is for a specific set of circumstances that will not occur during every incident—every event will not result in the discovery of a data breach.  When it does happen, however, preparation can make all the difference in the way a company handles the events that follow.

Like an Incident Response Plan, a team should be identified to handle the event.  Members of the team should be representatives of the company’s technical and business units, including Information Security, Public Relations, Legal, and any other group that may be needed, depending on the type of data disclosed.  For instance, publicly traded companies may want to include representatives from Investor Relations in addition to those listed above. 

Once the members of the team have been identified, a plan should be put together that addresses the questions in the first paragraph of this article—the plan may change somewhat based on the type of data disclosed and the function of the organization.  Each data type should be included if the response will be different.  The representative from Legal should be able to provide an overview of the laws that apply to each instance, as well as the breach laws for all the locations the company has customers.  Keep in mind this may include both domestic and international laws, based on the locations of the customers, not the company.  This matrix of relevant laws will be very useful in an actual incident as a quick reference. 

If services (such as credit monitoring) are to be offered, the time to investigate which service provider to engage is before a breach occurs.  This way, terms of service can be negotiated when urgency is not a factor.  The plan should document the terms once they are finalized, along with any contact information required to activate the use of the service.  A contact number should be established ahead of time for those who are notified to call should they have questions (this is included in the notification letter), and a script prepared in advance (as a sample, to be populated with relevant details if it is needed) for those who will be answering the phones.  (The group that will be answering these calls should also have a representative on the team to ensure that they can provide any planned services.)  Similarly, sample notification letters can be drafted as part of the plan.  This will save time during an incident when notification is necessary, and provide a consistent framework for notification over time.

On the topic of notification—the plan should include the organizations that need to be notified as well.  In some cases, depending on the data type, this may include the credit card brands (Visa, MasterCard, etc), the company’s bank, law enforcement or government agencies.  Some cases may include the need to notify the press, so sample press releases should be drafted.   

The final step with any of these types of plans is to conduct a trial run—a test of the plan’s completeness and correctness.  Annual testing will ensure that the plan is kept up to date with changes in the law, and with the members of the team.  It will also allow the organization the opportunity to make changes that are identified during the test to make the plan stronger and more useful. 

While no organization wants to believe that they will experience a data breach event, there are examples in the press of these events occurring regularly.  With planning and preparation, the response to such an event can be handled without panic, minimizing the impact of the breach event to the organization.