5 Best Data-Breach Planning Practices for 2019
These five tips can help you build a thorough and reliable data-breach response plan.
- By Paige Boshell
- January 4, 2019
For starters, “data-breach plan” is a misnomer. The risk management program is actually a prevention, detection, response, and resiliency plan. The plans are fluid and require regular reassessment, both at scheduled intervals and whenever a substantive change in or to a product, service, customer type, vendor, data collection, use or disclosure, or corporate structure is proposed or takes place.
For 2019 here are five best practices for data-breach planning.
1. Assemble Your Team
Stakeholder participation is critical. Identify your experts, both internal and external, to increase the effectiveness of your plan and ensure that your team is ready.
Outside counsel ensures that your plan is legally compliant, taking into account industry standards and best practices. Legal input is needed to address mitigation of class-action and regulatory-enforcement risks. Post-breach, having your lawyer coordinate your internal and external teams can protect attorney-client privileged communications and decision making. Practice tip: your first call post-breach should be to your outside counsel.
A cyber insurer can help assess your data breach risk and the insurance coverage you need. Coverage tip: make sure you get to select your own service providers post-breach so that you can use your own team's assistance.
Having external forensic investigators in place pre-breach facilitates rapidly plan deployment. Allowing such participation in planning and testing may be helpful depending on the sensitivity of the data at issue and complexity of operations or data usage.
Internal legal counsel and compliance officers address regulatory risk. These professionals have in-depth knowledge about your business operations and goals, and can work effectively with outside counsel to develop your plan.
Information security experts advise the team on how risks may be mitigated using existing systems and what additional technology might be required. These experts are typically charged with implementing your plan. IT will work through outside counsel with external forensic investigators to contain and respond to any breach.
HR addresses employee concerns and ensures that training required by the plan and post-breach messaging are properly implemented and supervised.
Marketing contributes to post-breach messaging to ensure that external communications are consumer-friendly and consistent. Any marketing that mentions privacy or security, whether pre- or post-event, should be vetted by legal counsel and compliance officers.
Business stakeholders ensure that the rest of the team understands the business goals and strategies and that management is supporting a culture of privacy and security throughout the business. Data protection is critical to managing reputational and market valuation risks. Business buy-in is key.
A decision maker is the captain of the team with the authority to decide to build, tweak, and implement your plan. Communications among the team will be horizontal and vertical, often simultaneously in the event of a breach crisis. The person in this position should be familiar with all of the team members’ roles and concerns and is responsible for post-breach messaging, which must be uniform internally and externally throughout the response and remediation phases.
Other potential external team members include public relations, law enforcement, and vendors (pre- and post-breach).
2. Inventory and Assess Your Data Breach Risks
These tasks are typically conducted as part of your data protection planning. For breach planning, ensure that:
- Risks that a breach may occur at any given point are identified in the data inventory, including each access vector
- If a breach occurs, you must know the legal, fraud, reputation, and market risks
- The administrative, physical, and technical controls are in place to mitigate these risks; the limitations of these controls must also be specified
Risks must be properly understood by your legal and compliance staff and IT, and documented in your plan. Remediation will depend on the nature of the risks and applicable controls. Team input is invaluable. Practice tip: Consider using the NIST RMF or other applicable risk assessment framework or tools.
3. Empower IT
IT should understand the concerns of each stakeholder so they can be addressed and documented in the plan. IT educates the legal and compliance personnel so they understand how the technology works with respect to data access and protection as well as breach prevention, detection, and response. Technical capabilities and potential uses of -- and access to -- data should also be considered. The business stakeholder should make sure that IT understands the business goals at issue. Any tensions between data breach efforts and business strategies should be resolved in the plan. All security measures should be thoroughly documented in your plan and communicated throughout the business.
IT also monitors evolving technology and industry practices to ensure that all security measures are at least reasonable in light of the risks posed.
4. Build a Culture of Privacy and Security
Employees must understand how privacy and security relate to both the core of the business and their individual roles. Regular education to recognize and report possible threats, such as phishing or business e-mail compromise, mitigates the risk of a data breach. A culture where questions may be asked and anomalies reported to a centralized function (be that IT or another group) should be fostered so that patterns of suspicious activity or vulnerabilities can be properly identified and assessed, both pre- and post-breach.
5. Use the Plan as Your Road Map
Deployment of your plan and its various phases should be practiced. In the event of a crisis, the plan should provide immediate and familiar guidance for each member of the response team. Each contingency should have been addressed in advance so that complex legal or operational issues are not tackled for the first time during the crisis.
Regular testing highlights any potential shortfalls in the plan and ensures that team members understand their roles and have experience fulfilling them.
A Final Word
Breach planning is essential in today’s cyber-environment. These efforts should be embraced by all stakeholders and evaluated continuously. Post-breach quarterbacking is absolutely essential for resilience and plan improvement.
Paige Boshell is managing member of Privacy Counsel LLC, which provides comprehensive and strategic legal advice on data breach planning and response, cybersecurity and privacy compliance, emerging tech, and complex tech transactions. You may read more about her here and contact her here.