Understanding the importance of a comprehensive and timely response to a data breach can save a company’s reputation, confidential data, and millions of dollars. The following tips and takeaways will help reduce the unknown challenges that may await.
Creating a proactive comprehensive plan before a breach occurs saves time and ensures there is an organized approach, accountability, and proper protocol in place. The team should include, and be led by, the Chief Privacy Officer and Chief Information Security Officer. Additional team members should include IT, business unit leaders, legal, procurement and marketing. External stakeholders should include outside counsel and cyber insurance providers.
The plan should include:
- A detailed playbook
- Roles and responsibilities of each team member
- Details on who does what and when
- Collaborative actions to break down silos so everyone works together
- A foundational “Road Map” to follow
- Detailed financial and status reporting
Another good idea is to speak to peers in other organizations that have dealt with this type of planning and incorporate their best practices. Once a plan is complete, conduct routine discussions to review and update it to make sure it is ready. Finally, the plan should be published broadly to educate others in the business, so everyone is aware that there is a team and plan in place to limit surprises and to respond accordingly.
A playbook provides defined procedures, sequence of steps to take, schedules, and accountability. It needs to make sense, should be to the point (otherwise it won’t be used) and must be dynamic so necessary changes can be made on the fly. Critical components include:
- Definition of roles and who oversees each phase.
- Mobilization – who does what and when.
- Reporting procedures – who needs to be made aware of the remediation status and other important items.
- Data preservation protocols.
- Risk assessment review.
- Financial tracking – potential loss, remediation, and litigation costs.
- Third-party vendors available to assist – incident response and data breach review providers
Communication and notification procedures are critical components of the playbook. The company should have specific communication policies in place to contact:
- Regulators (US, EU, and others)
- Third-party vendors
The Role of Contracts
Although they are not top of mind when there is an incident, contracts play a major role in dealing with and resolving an incident. Early planning and a focused effort on ensuring customer and vendor agreements address privacy, liability and cyber insurance are very important.
Procurement and legal must review all third-party agreements to ensure they are consistent with the company’s polices. If company or third-party agreements need to be updated, there are contract management service providers that can work with the company to quickly update them to be in compliance.
Understanding where all agreements reside, whether it be in an internal contract management platform or managed by a cloud provider, should be part of the playbook so they can be accessed quickly during a breach response.
Third-party vendors include those that provide products and services to the company and those that are available in a consulting support role to assist during an incident.
For the vendors providing products and services:
- Make sure they have privacy policies and cyber response plans in place that are consistent with the company’s approach.
- They must have adequate cyber insurance policies, which should mimic the company’s limits.
- Evaluate and audit their breach response plans on a yearly basis, at a minimum.
- Ensure they have the necessary security certifications, including SOC2 and ISO27001. These certifications validate that they have the necessary security policies and infrastructure in place.
Vendors also play an important support role for guidance and expertise during a breach. Create a list and conduct due diligence on those that can assist the team, including:
- Incident response experts.
- Breach software providers for reviewing data that may have been compromised.
- Insurance carriers and outside counsel to provide guidance and expertise.
Breach Document Review
There are times when a document review must be completed to identify potential PII and PHI that was compromised in order that employees, customers, etc. can be notified. Selecting a qualified provider with a large and experienced breach team to perform the review quickly and cost-effectively will save time and allow company team members to focus on other issues.
Finally, don’t forget about cyber security awareness training. There needs to be proactive messaging and training for all employees on the ramifications of not following proper technology usage protocols. Be sure to include key outside vendors as part of the training if they work closely with the company since they need to be aware and accountable. Quarterly presentations, webinars, and online testing are a few useful tools.
If there is an incident, debrief afterward to see what worked, what didn’t, and how the plan and the remediation approach can be revised in the event there is (hopefully not!) another incident.