Post Equifax and Deloitte: The Importance of a Data Breach Plan

With the recent news about major breaches, particularly those in the United States, having a good data breach plan has never had more prominence in the media. In this post, we discuss the what, the why and the how of data breach plan.

What is a Data Breach Plan?

A data breach plan is a type of incident response plan – organisations should have incident plans for all of the types of risks that they face, but one of the more important ones is data breach. This is important not only because of recent events, but because it is increasingly becoming a legal requirement, particularly with regulation like NYCRR500 in the US and GDPR in EU, both of which require a data breach plan, and requires them to be able to notify regulators and potentially to those whose data has been breached within 72 hours. This timescale is exceedingly short in comparison to some of the timescales that we have seen more recently, with Yahoo’s data breach not being announced until years after it was discovered, the Equifax breach which was discovered months before it was announced, and even the Deloitte email hack which seems to have been discovered months before.

Why have a Data Breach Plan?

Aside from the regulatory requirements for data breach plan, why else should you have a data breach plan?
More than anything else it protects your organisation’s reputation and allows you to plan for, to control, and to hopefully minimize the impacts of what can otherwise be a very disruptive and distributive event in a company’s history.

For senior management in businesses that suffer breaches, it is not unusual for senior management to be a causality of such events. Equifax’s, CEO, CIO and CISO have all retired since the announcement of their breach.

There is also the point that customers are increasingly expecting better from the companies that collect so much personal data from them. They want to be able to trust the companies that they choose to do business with, but the way that they deal with an incident like a data breach very much determines how likely they are to continue doing business with them after the event.

How to Create a Data Breach Plan

These need to be tailored to the specific organisation, however, there are some steps that you should follow to ensure that your plan contains the right information.

1. Roles and Responsibilities

Your breach plan should ensure that all of your staff understands what their role and responsibilities are in the case of a breach.
Breaches tend to be stressful events, so don’t leave these decisions to be decided during the event, so make sure as much as possible is decided beforehand.

2. Triage and Mitigation

Make sure that you have a good plan for triaged and breach mitigation. The purpose of this stage is to understand the size, shape and scale of the breach, to stop the breach if it is in progress, and to prepare for communication with regulators, stakeholders, and customers.

3. Communication Plan

Know who you are going to communicate with, what are you going to communicate, and how frequently are you going to update people. Don’t be tempted to go out to the press too early, learn the lessons from the TalkTalk event. Don’t forget the importance of dealing with law enforcement, particularly if the event takes place in the US.

4. Back to Business

The purpose of the plan has to minimize the damage to the organisation, its clients, and other stakeholders, and to get the business back to normal operations as quickly as possible. The plan should have a framework that focuses on this requirement whilst recognizing that different events may have different requirements.

This post is also available as a podcast as a video.

If your organization needs help with reviewing its existing data breach plan, or needs to create a new one, then contact Fifth Step on enquires@fifthstep.com, and we’ll arrange for one of our resiliency experts help ensure that your company does not suffer the reputational damage that others have.

You may also be interested in my latest book The CIO Navigator, available now from Amazon (UK and US stores) in both paperback and eBook format.