As the data breach occurrence rate continues to rise, it is becoming clear that there is a certain randomness to these incidents. One of the key components of exposures and the effectiveness of insurance policies is the predictability of loss. Data breach threats and losses are “bucking” this trend. Unlike other types of losses, (wind, flood, fire, etc.) data breach incidents have no season and no clear indicators of who is at greatest risk. In the absence of predictability, it is critical for organizations to always be ready for an incident to occur.
The following list includes key recommendations to help organizations plan for an “unplanned” data breach:
1. Make a List
In data breach preparation planning with clients we often recommend they consider and list the worst case scenarios of a data breach. This exercise helps organizations understand how bad it could be and challenges them to think of the impact a significant incident could have on the organization. Further, in the immediate aftermath of a data breach it is critical to have those that are most familiar with the organization summarize what they think happened and what kind of data could be at risk. This is a critical step and something that will gauge the level of response needed when moving into stage two of your plan.
2. Assemble Your Team
Data breaches are complicated and require a unique understanding, skillset, and the coordination of many outside resources to investigate and rectify damages. Your first call should be to your risk advisor/insurance broker. Your risk advisor can coordinate and recommend specialized providers in the area of legal coaching, IT forensics, public relations, notification services, credit monitoring, and more.
Within 24 hours of a data breach incident you should have had a conference call with your risk advisor, legal counsel, and an IT forensics firm (if required). If you organization holds Cyber Liability coverage, this will be easier as your insurance carrier will likely have an entire list of pre-approved vendors at negotiated rates, guaranteed to be available during your time of need.
3. Develop a Plan/Timeline
Managing a data breach is no different than any other a large project that might involve many aspects of an organization, Develop a set timeline and objectives to keep your team on task. Identify expectations of how the days and weeks after a breach will transpire and fully communication the plan with your assigned team. These expectations should be realistic and tempered based on advice from advisors.
4. Don’t Touch Anything!
More harm can come from internal resources trying to “self-fix” or “diagnose” the issues than if all the evidence was left preserved. Aside from reasonable efforts to isolate the intrusion and limit further data loss or corruption, organizations should limit action.
Once confirmation has been made that there is an incident that has caused or could cause a data breach, all internal personnel should refrain from trying to solve the problem. It is critical to not damage evidence or alert the intruder that they have been identified. It also helps the organization maintain objectivity if the data breach ever were to be litigated.
5. Forensics Time
Once your organization has a good understanding of the potential exposure and liability associated with the data breach and a handle on the steps needed to start cleaning it up, for most data incidents the next step will be working with IT Forensics. Typically, this is an independent specialized third party that will conduct a forensic investigation of your network and hardware. The main objective is to figure out: what happened, where it happened, how it happened, and how long it was happening.
6. Results and Obligations
Engagement with a forensics firm is typically the best way to identify what obligations or exposures an organization faces in the aftermath of a data breach. A full forensic report could take up to a week, but a summary of findings should be available within 24 hours. Any findings should be shared with your legal advisors as soon as available so they can advise you on your obligations going forward. It is critical to understand how your incident is viewed; data breach reporting in certain industries can run the risk of a regulatory investigation.
7. Repair, Regroup and Keep on the Lookout
After the immediate action items of your data breach remediation plan are complete, it is time to analyze what the data breach incident has taught your organization. Take this chance to identify what caused the data breach incident and address the gap in IT security and any other areas of weakness that were identified during stage one. Successful data breaches are often followed up with other attempts so in the aftermath of an incident it is important to keep a close eye on your systems and networks.
M3’s cyber professionals can help you make sure your organization is prepared for the unexpected – no matter what the season.