Data Breach Lessons Learned From the Trenches

by Chris Preimesberger

Every sector is susceptible to a data breach, and when cyber-criminals find vulnerabilities, they will use them time and again to attack similar industry organizations. Organizations can significantly reduce the costs and reputational fallout by having a strong IT security posture, chief information security officer (CISO) or outsourced IT consultant, and an incident-response plan. The response plan, similar to a fire drill, should be practiced and backed by a team that includes C-suite executives, IT, legal counsel, forensics, breach resolution providers, public relations and human resources.

When an organization employs a collaborative process, the response usually has a much better outcome. That means IT professionals should be actively listening to breach experts, such as forensic teams, breach resolution providers, privacy attorneys, and public relations or crisis communication consultants. After all, these firms walk, talk and breathe data security and data loss every day.

It is important that a company’s response team have a lean approval chain in place, with key owners and approvers established in advance of an incident. During a crisis, there are often several viewpoints to be considered, but ultimately a decision must be made to move the response forward. For efficiency, one person, or a small group, should be identified as the delegated authority to make executive decisions and articulate questions or concerns quickly up the chain of command.

Identifying and vetting third-party data breach partners ahead of an incident is critical to ensuring they understand an organization’s business and can engage quickly. Consider pre-breach agreements with partners that include forensics firms, legal counsel, print and call center providers, credit-monitoring services and public relations agencies to ensure greater response alignment and reduce the likelihood of changing partners midstream, which can prove devastating to an organization’s response following a breach.

To properly prepare for a breach and drive adequate response, companies should ensure that their data breach response plan outlines high-impact incidents based on the type of information they collect, their industry sector and operating countries. Organizations should conduct research and audit how industry peers have handled relatable breach incidents. For example, in the retail sector, organizations should evaluate recent payments breaches and plan for a similar scenario.

Many organizations feel pressured to communicate to their customers as soon as they discover a breach. Don’t be hasty and induce panic among consumers, which can lead to poor decisions and crucial mistakes. Instead, when possible, complete the forensic investigation before announcing the breach, so the company can communicate the most accurate information and appropriate remediation steps.

Communication to media, regulators, customers and partners is often center stage during a breach response; if done improperly, it could significantly harm a company’s corporate reputation. In an organization’s outreach to the breach population and key external stakeholders, send clear, honest breach notifications, provide credit monitoring or identity theft protection for customers, and keep an open line of communication.

Don’t forget about the people affected by the breach: customers, patients or employees. They aren’t just a checkbox on a response plan. Remember, those stakeholders are most likely to call the media, litigators or perhaps switch to the competition. Identify the demographics of the company’s affected customers to anticipate potential roadblocks. For instance, do the data breach notifications and/or call center support multiple languages? A company’s response to an incident should keep the customer top of mind.

It’s in an organization’s best interest to develop relationships with regulators before suffering a breach. While customers are a key stakeholder group, communications and compliance with regulators and policymakers at both the state and federal levels should be taken seriously. Developing a meaningful dialogue while engaging them openly and transparently to provide timely answers to any questions they pose is critical to a company’s long-term response strategy.

With the growing awareness of data breaches, it is no surprise more organizations are evaluating and investing in cyber insurance, and the number of companies purchasing these policies continues to grow. The 2013 Betterley Report estimates $1.3 billion in annual premiums on cyber and privacy insurance policies were collected by U.S. insurance companies in 2013. Investing in cyber insurance can help organizations reduce the cost of a breach and provide added benefits to a company’s security posture via access to data breach experts or other valuable services.