Guidelines for Responding to Data Breaches

By Tom Zeno and Lindsay Holmes

In the first part of this two-part article (“Best Practices for Avoiding Costly Data Breaches“), we offered practical suggestions to help protect your company from a data breach. In this article, we offer practical suggestions that will prepare your company to respond to what experts consider nearly inevitable: a data breach.

Summary of Part I

AvMed will pay approximately $3.5 million to settle a data breach lawsuit even though some of the plaintiffs could not prove actual damage from the breach. The company must forfeit the “unjust enrichment” it received over the years by not spending sufficiently for the data security it should have provided to its customers.

Plaintiffs’ litigation following the AvMed model will prove expensive for all companies that delay upgrading data security—not just those in the health care industry. The standard of due care is likely to be established by federal and state data privacy laws, which can apply to many industries that use and store personal customer information.

The “Framework for Improving Critical Infrastructure Cybersecurity,” released in February 2014 by the National Institute of Standards and Technology (NIST), should not be overlooked. Plaintiffs may consider the framework a standard that companies should meet.

Prepare a Response-and-Recovery Plan

Because even the best plans may go awry, it is important to have a response-and-recovery plan in place in the event of a security breach. Pulling your plan from the shelf will be much faster than trying to develop one in the midst of a crisis after a data breach has occurred.

A response-and-recovery plan will help ensure that employees and contractors know what to do if and when a data breach occurs. In addition to allowing the data breach to be properly managed, the plan will help your company return to business as efficiently and effectively as possible. Although experiencing a data breach will likely have a negative impact on business, a poorly managed response can be even worse.

Following are some elements of an effective response-and-recovery plan.

Get management endorsement.

A company that implements the measures described in Part I already has management support for data security efforts. Now management must support preparation of the response-and-recovery plan.

Because creating the plan will take time and resources away from the immediate goals of the company, employees may have a natural reluctance to work on it. Some also will oppose creating the plan because the up-front costs may seem wasteful after costly security efforts have been implemented. Management endorsement of the plan will be crucial to overcoming these obstacles.    

Create and maintain contact lists.

As the saying goes, “Who ya gonna call?” A data breach may compromise a large segment of the company’s equipment—possible even the entire system. In addition, the data breach may involve the personal information of thousands of individuals who must be notified promptly and accurately. Responding to a data breach likely will require experts to examine and repair the damage, consultants to deal with the media and lawyers to analyze the legal implications.

Whether these resources are available within the company or, more likely, are outside vendors, you should identify the names and contact information in advance. Contingency contracts should be signed beforehand to avoid losing valuable time dickering about details rather than addressing the problem when a breach occurs. This list should also include relevant law enforcement agencies and your insurance provider, which may also need to be contacted in the event of a breach.

Identify an effective internal team.

As important as outside experts may be, your company must itself be prepared to respond to data breaches. Decisions must be made quickly and implemented efficiently. Identifying in advance the individuals responsible for making decisions and coordinating activities will save time and avoid conflicts that would hurt the company in the long run. If and when a data breach has been detected, convene this team to initiate the response-and-recovery plan.

Detect and contain breaches.

A key element of any response-and-recovery plan is the ability to determine that a breach has occurred. This can be very challenging in large, complex systems, but rigorous monitoring of data systems can help detect breaches.

Numerous security standards provide guidance on systems’ monitoring, including ISO 27001 and NIST. Once a breach has been detected, the company must take measures to contain and mitigate further damage.