McAfee Learnings

Data Breach Preparedness

What is a data breach?
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.

Why create a Data Breach Preparedness Plan?
The average total cost of a typical breach is $5.4 million and climbing each year in the United States. Some breaches cost much more than that, which is why it’s so important to be prepared. Multiply this type of criminal activity by hundreds, thousands even millions of records that are typically compromised in one breach and you begin to realize just how costly a data breach is. A data breach can take a heavy toll on a company or agency of any size. Having a breach preparedness plan immediately in place can help you act quickly if one occurs within your organization. Acting quickly as possible can help to prevent further data loss, significant fines and costly customer backlash as we have witnessed in the past with other organizations.

Incident Preparedness
In the midst of a data breach, there wouldn’t be any time to decide who is going to delegate, direct, and carry out these protocols. It would be best to develop your response plan and build your response team before you need them.

Your designated team should coordinate efforts between your company’s various departments and fulfill two primary functions, in which is as follows:

  1. The immediate function is to develop the data breach response plan and prep the entire organization on proper protocol during a breach.
  2. Then, if a breach does occur, the team will implement the response plan, engage the proper resources and track the efforts.

Assemble your response team
It is very important to choose an incident lead when situations arise relating to data breaches within your organization. Your incident lead should be able to do the following:

  • Coordinate and manage your organization’sns overall response efforts and team.
  • Act as a liaison amongst managers and executives and other team members to report progress and problems.
  • Solely Identify key tasks, manage timelines and document all response efforts from beginning to end.
  • Ensure all contact lists remain updated and team members remain ready to respond in relation to the data breach.

Law Enforcement in relation to data breaches
Depending on the severity of a specific data breach, you may need to involve the law enforcement community to assist you in your efforts to investigate, seek, and apprehend suspects. Take the time to collect all of the appropriate contact information now so you can act quickly if a data breach does occur.

  • Identify which local, state and federal authorities, including the FBI and Secret Service, to contact in the event of a data breach involving criminal activity.
  • During a data breach, be sure everyone on the data breach response team is aware of any law enforcement directives so the investigation isn’t interrupted abruptly.

Data Breach Resolution Provider
Contracting with a data breach resolution vendor in advance of a breach to secure the best rates possible. Your vendor should be able to do the following:

  • Assign you a designated account manager to handle escalations, reporting and tracking.
  • Handle all aspects of notification, including drafting, printing and mailing letters and address verification.
  • Offer proven identity protection to victims, comprehensive fraud resolution and secure call center services for affected individuals. Relay to the victims these methods have been proven to be most effective.

Preparedness Training
In addition to a company-­‐wide focus on data security and breach preparedness, department-­‐specific training should trickle down from the data breach response team. Each member of the team has a unique responsibility to apply prevention and preparedness best practices to his/her own department.

Data breach notification
Sixty days. That’s generally the amount of time businesses have to notify affected individuals of a data breach, assuming notification is required by law. The countdown starts the moment a breach is discovered. Depending on varying circumstances, you may have even less time. Not all breaches require notification. If your data was encrypted or an unauthorized employee accidentally accessed but didn’t misuse the data, you may not need to notify. Be sure to seek and follow legal advice before deciding to forgo notification.

Successful Notification
It is your responsibility to determine the deadlines for notification according to state law. The notification deadline is a heavy weight on top of the already burdensome and stressful ordeal of a data breach. One way to help eliminate some of that stress is determining how you’ll handle notifications before a breach occurs. Lining up a data breach resolution provider in advance can help shave off both time and stress from your response efforts. In many cases, you can even save money by signing a contract with a provider in advance of a breach (Experian, 2013).

What to Look For in a Data Breach Resolution Provider
Above all, your data breach resolution provider should make security a top priority throughout the notification process. Unlike standard direct mail production, data breach notification requires critical service and quality assurance elements to ensure compliance. Look for one vendor that can seamlessly handle notifications from beginning to end and make a positive impact on your brand. Be sure to double check and test phone numbers and URLs in all communications. Notification letters may contain sensitive data and require secure handling through every stage of drafting, printing, and mailing.

As dictated by state law, a notification letter may need to include:
Clear language, not industry jargon, that the average person could understand. A toll-­‐free phone number for individuals wanting additional information. Details about the type of data lost and how it was lost, unless prohibited by law. Next steps to help affected individuals regain their security, such as signing up for a complimentary identity protection product.

Solutions to Data Breaches
After enduring major losses financially and confidential information being compromised, many companies have looked to ways to implement a strategy referencing data breaches. As of recently, it has been discovered that insurance companies now are looking to insure organizations to cover hacking damages, for example one insurance company based in Toronto, Canada called Executive Risk Insurance Services have taking interest in data breach protection.

Important steps in protecting against data security breaches
One should appropriate provisions for data safeguarding and implementing a information security policy.

In conclusion data security breaches have resulted in major financial losses as well as reputational damage. There is an unexpected benefit, too they are providing a major wake-­‐up call to executive management regarding the criticality of data protection and cloud computing only exacerbates existing risks, in which data asset inventory and valuation remain major. Importantly note, problems adopting an information centric approach is the right way to go. Also the selection and implementation of appropriate technical controls makes all the difference in the world. The worst approach is to do nothing at all. “All victims share something in common: they never thought it would happen to them.”

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment