2No Engagement With Outside Counsel
Enlisting an outside attorney is highly recommended. No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated. Unless internal resources are knowledgeable with all current laws and legislation, it is best to engage legal counsel with expertise in data breaches to help navigate through these challenging landscapes.
3No External Agencies Secured
All external partners should be in place prior to a data breach so they can be immediately called upon when a breach occurs. The process of selecting the right partner can take time, because there are different levels of service and various solutions to consider. Plus, it is important to think about the integrity and security standards of a partner before aligning the company brand with it. Not having a forensic expert or resolution agency already identified will delay the data breach response process.
4No Single Decision-Maker
While there are several parties within an organization that should be on the data breach response team, every team needs a leader. Determine who will be the driver of the response plan and primary contact to all external partners. Also, outline a structure of internal reporting to ensure that executives and everyone else on the response team is up-to-date and on track during a data breach.
5Lack of Clear Communication
Internal miscommunication can be the main cause of a mishandled data breach, because it adds confusion and delays in the resolution process. Ensure that there is one clear leader, and once the incident response team is in play, provide internal stakeholders as well as outside partners with ongoing updates on the resolution progress.
6Waiting for Perfect Information Before Acting
Managing a data breach often requires operating with incomplete or evolving information about the specifics of the incident, due to new information learned by security forensics investigations. Companies need to begin the process of managing a breach once an intrusion is confirmed and be flexible with the road map. Waiting for perfect information could ultimately lead to condensed timeframes that make it difficult to meet the many legal and regulatory requirements.
7Micromanaging the Breach
Data breach resolution often requires the support and involvement of multiple departments and teams because the incident response can intersect with areas such as IT, human resources, legal, and public relations, among others. Often, companies fail when micromanaging occurs by one leader. Trust your incident response team, outside counsel and breach resolution consultants, and hold them responsible for executing the incident response plan.
8No Communications Plan
Media scrutiny of data breaches and security incidents is at an all-time high, and negative stories can lead to a significant loss of reputation. In the event of a breach, companies should have a well-documented and tested communications plan that includes draft statements and other materials that can be activated quickly. Failure to integrate communications into overall planning typically means delayed responses to media and likely more critical coverage.
9No Post-Incident Remediation Plans
Companies should consider and plan how to engage with customers and other audiences once the breach is resolved and put additional measures in place to prevent future incidents. If an organization makes additional investments in processes, people and technology to more effectively secure data, finding ways to share those efforts with stakeholders can help rebuild reputation and trust. Yet, many fail to take advantage of this long-term need once the initial shock of the incident is over.
10Not Providing a Remedy to Consumers
Companies should put customers at the center of decision-making following a breach. This focus means providing some sort of remedy, including call centers, where consumers can voice their concerns, or credit monitoring if financial, health or other highly sensitive information is lost. Even in incidents that involve less sensitive information, companies should consider other actions or guidance that can be provided to consumers to protect them.
11Practice, Practice, Practice
Above all, a plan needs to be practiced with the full team. An incident-response plan is a course of action that needs to be continually updated and revised. By conducting practice exercises on a regular basis, teams can work out any hiccups before it’s too late.