Home > Breach Risk > Data Breach Response Plans: Yours Ready ?

Data Breach Response Plans: Yours Ready ?

The smart money treats data breaches as a ‘when’ not an ‘if,’ proposition. Don’t wait until the last minute to do this homework.

By Mathew J. Schwartz InformationWeek
October 04, 2011 10:45 AM

What’s the best way to handle a data breach? Ideally, the information security practices of businesses, government agencies, and their contractors would be so refined that a single record would never be exposed. But data breaches are a fact of life, and furthermore even the best security program in the world wouldn’t defeat a determined, malicious insider.

How many businesses, however, even have a world-class security infrastructure? Last week, for example, saw the exposure of personal details on 4.9 million people, including names, social security numbers, and addresses, thanks to the theft of unencrypted backup tapes containing TRICARE data that were left in the care of a Science Applications International Corporation (SAIC) employee. In the annals of information security best practices, failing to encrypt stored data ranks as an amateur–if not uncommon–mistake.

More Security Insights

White Papers




Pacific Northwest National Laboratory CIO, Jerry Johnson, provides some lessons learned from the attacks on his organization in July -- a highly publicized attack on an organization that provides cyber security services for the Dept. of Engergy.TechWebTV catches up with Whisper Systems' CTO and co-founder Moxie Marllinspike to discuss and demo WhisperCore -- a mobile security solution that brings BlackBerry-like centralized enterprise-grade security to Android devices.Richard Bejtlich, CSO and VP of managed services, sits down with Dark Reading's Kelly Jackson Higgins at Black Hat USA to talk about the two hats he wears at the incident response company, and trends in attacks against enterprises and security firms.

Pacific Northwest National Laboratory CIO, Jerry Johnson, provides some lessons learned from the attacks on his organization in July — a highly publicized attack on an organization that provides cyber security services for the Dept. of Engergy.

That’s why the smart money on data breaches is to treat them as a “when,” not an “if,” proposition, especially when it comes to dealing with state attorneys general, as well as any relevant regulatory body. “Don’t wait until a breach occurs to think about how you will deal with the regulators. A data breach event does not necessarily mean that you are doomed in the eyes of the regulators, but they do have expectations,” says Theodore J. Kobus III, an attorney at Baker Hostetler, in a blog post.

When a breach does occur, businesses must gather as much information as possible, stay transparent, and proactively manage the situation. “Data breach prevention and mitigation is a C-suite issue and not an IT-only issue,” he says.

Also think about and make plans for how a breach will shake customer confidence. That’s because a recent study from Ponemon Institute found that the leading cost of data breaches was the resulting customer churn. While the average quantity of customers lost after a data breach was 4%, some industries–healthcare and pharmaceutical companies–saw average churn rates of 7%.

To keep customers, preparedness and cool heads pay off. Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. “I’ve seen organizations that totally jumped the gun–We’ve got to do it— and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,” Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. “We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.”

Delivering the “we’re aware of the problem and working to fix it” message–and meaning it–requires planning. Start by identifying who will be in control of the data breach message, have premade scripts ready to deploy to call centers, and draw up a list of personnel who will be drafted to help manage the situation. Planning helps frontload some of the logistical detail work related to notifications, such as having up-to-date address information for as many current or former customers as possible.

Regulations, however, will require constant minding. Each of the 48 states has its own data breach laws on the books, and they can differ. Massachusetts, for example, doesn’t want to see a lot of detail in the notification letters sent to its residents, while New Hampshire does.

Data breach disclosures, correctly executed, can help businesses not just forestall customer defections, but also defuse class-action lawsuits in cases where customers can’t prove that they’ve been directly harmed by the breach, says Lapidus. But courts want to see businesses respond in a proactive and forthright manner, whether investigating the breach, notifying authorities, or alerting customers and extending identity theft protection.

Ideally, any data breach response plan would include an internal forensic investigation to identify exactly which records had been exposed, and how, not least to strengthen future information security defenses. Owing to time and cost, some businesses skip this step–according to a study sponsored by SAIC. But they may be doing themselves a disservice. “We had a client who thought it had a breach of 1.5 million people’s records–that would be extremely costly. But forensically, they were able to prove that the network had not been compromised,” says Lapidus. “What looked like an intrusion on the outside, wasn’t.”

While that outcome might be rare, with a little data breach planning and by putting a good breach-response strategy in place, it’s at least a possibility.

Security professionals often view compliance as a burden, but it doesn’t have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)


Categories: Breach Risk
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: