Organizations can greatly reduce the cost of a data breach by having well-established incident response Preparedness Plan. Data breaches can happen to business of all sizes, non‐profits, educational institutions and government organizations. It’s assumed in today’s time that all business who collect some type of data is subject to a data breach and will suffer data loss. Whether you are a Fortune 500 company or a local merchant, if you collect data, you are at risk.
Once you’ve created your preparedness plan, you’ve cleared one of the major hurdles in setting up a successful preparedness plan if a data breach occurs. Your preparedness plan can only be successful if it’s comprehensive and current. Each quarter, make it a priority to update, audit and test your plan. Consider different data breach scenarios that could occur and whether your plan would help address each one, including an internal breach, external attack, accidental data sharing and loss or theft of a physical device.
*Most Overlooked Details *
Here’s a glimpse of a few commonly overlooked details that should be on your radar during a preparedness plan audit.
*Call center *
Establishing a way for those involved in the data breach such as your customers and/or employees to contact is important. Bring in external resources to help handle the high volume of calls. In the first few hours following a data breach is not when you want to hide from your consumers and others involved. Instead, be readily available to answer their questions in order to reinforce the value of your brand and your commitment to their security and privacy.
Whether you plan to use internal or external resources, be sure you:
- Are prepared to quickly pull together training materials, such as incident FAQs. Highly knowledgeable and emphatic call center representatives can make a positive impact on your brand during a crisis.
- Are able to scale the call center portion of your preparedness plan to fit any incident. In addition to identifying needed call center resources in advance of a breach, also create a call center script template specifically geared toward crisis management.
- Conduct ongoing crisis training for your regular call center, whether it’s internal or external, so representatives are trained in handling sensitive information as well as emotional callers.
- Oversee several test calls to confirm the call center is ready to handle incident-‐ related calls.
With companies being subject to data breaches at the hands of their vendors, take steps to ensure your company isn’t headed down the same road. Select vendors that have appropriate security measures in place for the data they will process.
Ensure that your vendors have the necessary training and technology in place to safeguard the data. Assess whether they are meeting your requirements for proper data protection on a regular basis.
In general, it makes sense for companies to require that vendors:
• Maintain a written security program that covers the company’s data.
• Only use the company’s data for the sole purpose of providing the contracted services.
• Promptly notify the company of any potential security incidents involving company data and cooperate with the company in addressing the incident.
• Comply with applicable data security laws.
• Return or appropriately destroy company data at the end of the contract.
So you’ve determined all of the steps and precautions you’ll need to take if a data breach occurs. But, responding to one can take significant company resources.
Does your preparedness plan address the operational challenges of managing a breach in conjunction with managing the day-to-day business?
For example, if your head of security and/or IT is tied up with breach response, who oversees the department in the meantime? Answering questions like these truly help to illustrate that data security; data breach preparedness and data breach response requires company-‐wide awareness and involvement.
As part of your preparedness plan, have every member of the response team prep his or her departments on what to expect and how to operate during data breach response. Everyone on staff should understand how their roles might change during a breach in order to maintain operations.
Preparedness Audit Plan Checklist
At McAfee Institute, we have adopted a Preparedness Plan Checklist from Experian. That checklist is below for you to adopt as well and make any necessary changes to fit your organization’s individual audit plan checklist.
Data security and privacy must become part of an organizations culture. Be prepared with an incident plan to help protect your data, detect a breach and quickly mitigate the impact. The responsibility cannot be limited to one individual or one group; it is every employee’s responsibility to follow the guidelines. This will help to ensure that your organization is ready to take the appropriate steps to minimize damage to your customers, employees and brand in the event of a data breach.