By Sara Goldberger
When you experience a data breach, swift response is key – but WHOM should do WHAT and WHEN? Below are a few tips to help you in the event of a breach.
First of all, what is a data breach? The most prevalent definition is:
A data breach is an incident that involves the unauthorized or illegal viewing, access or retrieval of data by an individual, application or service. It is a type of security breach specifically designed to steal and/or publish data to an unsecured or illegal location. A data breach is also known as a data spill or data leak.
A data breach response plan is one tool to help you manage a data breach. It is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach, as well as describing the steps to be taken by an entity in managing a breach if one occurs.
You need to regularly review and test your plan to make sure it is up to date and that your staff knows what actions they are expected to take. What is ‘regular’ in this context depends on your circumstances, including the size of your corporation, the nature of your operations, the possible consequences to an individual if a breach occurs, and the amount and sensitivity of the information you hold.
Below are some typical team roles and skills; one team member may have several roles:
- Team Leader — to lead the team and manage reporting to senior management
- Project Manager — to coordinate the team and provide support
- Privacy Officer — to bring privacy expertise to the team
- Legal Support — to identify legal obligations and provide advice
- Risk Management Support — to assess the risks from the breach
- ICT Support/Forensics Support — particularly if the breach requires investigation of ICT systems
- Information and Records Management Expertise – to assist in reviewing security and monitoring controls related to the breach
- HR Support — if the breach was due to the actions of a staff member
- Media/Communications Expertise — to assist in communicating with affected individuals and dealing with the media and external stakeholders
If you hold an insurance policy for data breaches, that insurer may have a pre-established panel of external service providers in many of the roles listed above. Associations like the Cyber Rescue Alliance can also help organisations to develop their cyber response response team. Cyber Rescue Alliance is a membership alliance that helps their members to reduce the harm caused by cyber attacks by providing members with, for example, a CISO in case they lack one of their own. Cyber Rescue Alliance helps their members with the below four steps:
1 – Contain the breach and do a preliminary assessment
Take whatever steps possible to immediately contain the breach. For example, if it is detected that a customer’s bank account has been compromised, can the affected account be immediately frozen and the funds transferred to a new account?
2 – Evaluate the risk associated with the breach
Some information is more likely to cause an individual harm if it is compromised, whether that harm is physical, financial or psychological. For example, government-issued identifiers such as social security numbers, driver’s licence and health care numbers, health information, and financial account numbers, such as credit or debit card numbers, might pose a greater risk of harm to an individual than their name or address.
Consider the following in assessing the risks:
- The type of personal information involved.
- The context of the affected information and the breach.
- The cause and extent of the breach.
- The risk of serious harm to the affected individuals.
- The risk of other harms.
3 – Notify the implicated parties
Notification can be an important mitigation strategy that has the potential to benefit all parties affected by a data breach. The challenge is to determine when notification is appropriate. While notification is an important mitigation strategy, it will not always be an appropriate response to a breach. Providing notification about low risk breaches can cause undue anxiety and de-sensitise individuals to notice.
Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required. When notifying try to include the following information. In the event a third party will notify of the breach, a clear explanation should be given as to how that third party fits into the process and who the individual should contact if they have further questions:
- Incident Description — Information about the incident and its timing in general terms. The notice should not include information that reveals specific system vulnerabilities.
- Type of personal information involved — A description of the type of personal information involved in the breach.
- Response to the breach — A general account of what the agency or organisation has done to control or reduce the harm, and future steps that are planned.
- Assistance offered to affected individuals — What you will do to assist individuals and what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves.
- Other information sources — Sources of information designed to assist individuals in protecting against identity theft or interferences with privacy.
- Contact details — Contact information of areas or personnel within your organisation that can answer questions, provide further information, or address specific privacy concerns. Whether breach has been notified to regulator or other external contact(s)
- Legal implications — The precise wording of the notice may have legal implication.
- How to lodge a complaint — Provide information on internal dispute resolution processes and how the individual can make a complaint.
4 – Prevent future breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, you need to investigate the cause and consider whether to review the existing prevention plan or, if there is no plan in place, develop one.
- Develop a breach response plan — Set out contact details for appropriate staff to be notified, clarify roles and responsibilities, and make sure they are documented, coordinate investigations and breach notifications, and cooperate with external investigations.
- Establish a breach response team — See the list above about whom to include in this team e.g., senior management, IT, public affairs, legal, etc.
- Identify relevant service providers — Consider researching and identifying external service providers that could assist in the event of a data breach, such as forensics firms, public relations firms, call center providers, and notification delivery services. The contact details of the service providers should be set out in the breach response plan.
- Enhance internal communication and training — Ensure staff have been trained to respond to data breaches effectively, and are aware of the relevant policies and procedures. Staff should understand how to identify and report a potential data breach to the appropriate manager(s).
The author, Sara Goldberger, is the Head of Communications Global Operations and IT at Zurich Insurance Group and Board Member of GCA partner, Cyber Rescue Alliance. You can follow her on Twitter @saragoldberger.
Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance.