A Complete Guide to Data Breach Response

Preparing for Data Breach Response: A Complete Guide

In today’s digital economy, data is an extremely valuable business asset—and data breaches are threatening the value and integrity of that asset. The frequency of breaches is rapidly rising, so much so that they've become a matter of when, not if, for organizations. In fact, the Ponemon Institute estimates that the chances of experiencing a breach are as high as one in four.

In its Data Breach Report, the Identity Theft Resource Center (ITRC) reported 3,158 compromises in 2024, just shy of the all-time record set in 2023. These incidents yielded nearly 1.4 million victim notices, a 211% increase over the prior year. The financial services industry suffered the greatest number of occurrences, followed by healthcare and professional services.

The high cost of data breaches

Data breaches can be devastating in terms of their costs to organizations. According to the IBM Cost of a Data Breach Report, the global average cost of a data breach in 2024 was $4.9 million, the highest total ever and a 10% increase over the prior year. For U.S.-based entities, the average cost is much higher: $9.4 million. A breakdown of the global average cost shows that:

• The loss of business, revenue, and customers resulting from a breach costs $1.5 million on average.
• The price of detecting and containing a breach costs $1.6 million on average.
• Post-breach expenses (fines, settlements, legal fees, providing free credit monitoring to affected customers, etc.) cost $1.4 million on average.
• Notices, including the reporting of breaches to customers, regulators, and other third parties, cost $430,000 on average.

The lesson is clear: To contain costs and reduce the impact of a breach, you need a detailed response plan. To assist, we’ve put together this comprehensive breach response guide, including:

• How to distinguish between an event, a security incident, and a data breach—and why the distinction matters
• What a planned breach response entails and why it’s vital
• Where to start with breach response planning
• What to look for in a breach response services provider
• The difference between government and private-sector breach response

The odds are high that your organization has been or will be the target of an attack that puts sensitive data at risk. Even if you’re not yet in a hacker’s crosshairs, system weaknesses and human errors threaten the security of your sensitive information.

The label you use to classify an occurrence like this actually matters, because it determines your response—and thus your ability to properly protect your customers, your reputation, and your bottom line. Here are the three main types of occurrences:

• Event—The National Institute of Standards and Technology (NIST) defines an event as “any observable occurrence in a system or network,” such as sending an e-mail message or a firewall blocking an attempt to connect. NIST defines adverse events as those with a “negative consequence, such as…unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.”
• Security Incident—A security incident or privacy incident is surprisingly common in business. It is an event that violates an organization’s security or privacy policies around sensitive information such as online credentials (usernames/passwords), Social Security numbers, or confidential medical information. These incidents can range from an employee’s lost laptop to missing paper files to sophisticated cyberattacks.
• Data Breach—A data breach is a security or privacy incident that meets specific legal definitions as per state and federal breach laws. Data breaches require notification to affected individuals, regulatory agencies, and sometimes credit reporting agencies and the media. Only a small percentage of privacy or security incidents escalate into data breaches.

Properly classifying an event, security incident, or data breach helps you fit your response to the risk level posed by the sensitive—and often regulated—data your organization holds. For example, notifying your customers of a breach gives them the information they need to protect themselves. However, alerting stakeholders to every single security incident can subject them to the negative phenomenon that experts call “breach fatigue.”

How you handle a breach makes all the difference. With the right plan in place, you’ll be able to launch an effective response—acting swiftly to contain the damage, prevent future problems, maintain your organization’s reputation, and protect your customers from further harm.

You’ll also be able to save money. Note that the longer it takes to uncover a breach, the costlier the response. Among the findings in the IBM Cost of a Data Breach Report: Companies that were able to detect a breach internally—as opposed to it being disclosed by the attacker—were able to shorten the data breach lifecycle by 61 days and save an average of nearly $1 million in breach costs.

To shorten the breach lifecycle and minimize costs and other damages, companies need to have a response plan crafted and ready to go. It starts by adopting a “when, not if” mentality, says Petar Besalev, Executive VP of Cybersecurity & Compliance at the security and compliance firm A-LIGN: “As data breaches are being discovered and reported more frequently, it is critical for organizations to recognize that establishing and implementing a security breach response plan is an integral part of their cybersecurity preparedness.”

Breach response (also known as incident response) is a detailed, multi-phase plan of action for handling a breach. The Federal Trade Commission (FTC) recommends the following three-step guide for businesses that experience a breach exposing sensitive information:

1. Secure your operations: Prior to a breach, create an internal response team of experts; this can include representatives from forensics, legal, information security, human resources, communications, investor relations, and management. Post-breach, activate them to launch the response and halt additional data loss. This team will conduct forensics as well as advise you on applicable state and federal breach laws.

2. Fix vulnerabilities: Work with your forensics experts to analyze your network segmentation, encryption, backup or preserved data, and more. Create a communications plan for stakeholders affected by the breach, including employees, customers, investors, and business partners. Avoid making misleading statements about the breach or withholding details that consumers need to know. Clear, honest communication now can minimize customers’ anxiety and frustration—and save you time and money later on.

3. Notify appropriate parties: Notify state and federal regulators, law enforcement, other affected businesses, and the people whose information was exposed. A broad range of communication tools, including letters, websites, toll-free numbers, and a PR campaign helps ensure all of the individuals impacted by a breach get the information they need.

The FTC also recommends offering affected individuals at least one year of free credit monitoring, identity theft protection, or identity restoration services if financial information or Social Security numbers were exposed.

Identify your organization's breach risks

The FTC plan highlights the complexity of breach response. To determine the best approach for your organization, first identify your breach risks. Consider these questions:

• What are the consequences should personal information become exposed due to a breach at your company?
• What does a catastrophic incident look like for your company?
• What are your reputational, financial, or regulatory risks?

Once you understand what’s at stake for your company and your customers, you can start planning.

Should your company get cyber insurance?

Cost can be a major factor in determining the size and scope of a response plan. That’s where cyber insurance can help. Many companies use cyber insurance to help cover breach response costs, including forensics, notification, credit monitoring, and even regulatory fines. It’s a sound investment: Forrester found organizations with cyber insurance coverage had fewer breaches, had improved detection, and response times to incidents.

The FTC advises businesses to consider the following when purchasing cyber insurance:

1. Does your policy include coverage for:

• Incidents involving theft of personal information?
• Cyberattacks on your data held by vendors and other third parties?
• Breaches of your network?
• Cyberattacks that occur either inside or outside of the U.S.?
• Terrorist acts?

2. Will your cyber insurance provider:

• Defend you in a lawsuit or regulatory investigation?
• Provide coverage in excess of any other applicable insurance you have?
• Offer a breach hotline that’s available every day of the year at all times?

J.P. Morgan recommends three guidelines in purchasing cyber insurance: Determine if the maximum loss is affordable for your organization; consider the likelihood of losses; and ensure that the transfer of risk is worth the premium you would be paying.

As the IBM report found, lost business—including customer turnover and reputational harm—represents a significant part of breach expense. Your customers’ experience during this stressful time can make or break your company’s reputation. By bringing in professional partners to handle customer-focused services, including notification, communication services, and identity monitoring and protection, you can help preserve your good name while shielding customers from the dangers of identity theft and fraud.

When evaluating a data breach services provider, consider the following questions:

• How many incidents per year does the provider handle?
• What is the service capacity—how many affected individuals can they support in a single breach?
• How quickly they can deploy a response?
• How do they work with your company to deploy services? Do they offer a dedicated project manager?
• What identity protection packages do they offer?
• What industries do they serve and who are their current clients?
• Which insurers have approved this vendor?
• Is there an advantage to signing up prior to a breach?

This last question is particularly important. If you preemptively sign a master services agreement (MSA), your breach response provider can immediately act on your behalf when an incident occurs. For example, IDX offers a no-cost priority response plan for rapidly deploying breach response services in as little as three business days.

Many organizations, whether public or private, know the value of a trusted breach response partner to manage all customer touchpoints: notification, crisis communications, and identity protection services. But their criteria for evaluating that partner is very different. While private businesses judge vendors on factors like customer service and price, government agencies evaluate on whether a provider has successfully managed breach response for other public agencies and meets rigorous security standards.

When choosing a breach response vendor, government agencies rely on a variety of sources, including the Contractor Performance Assessment Reporting System (CPARS). The system allows officials to review important performance and integrity information, such as news of contractor suspensions or terminations, before awarding a contract.

Like their private-company counterparts, government agencies can reduce the cost and impact of a future breach by selecting and contracting with a reputable breach vendor ahead of time.

Create your data breach response plan now

Ready or not, your organization faces the very real risk of a data breach. When it happens, your customers will understandably turn to you for answers. And regulators and the media will scrutinize your response: How long did it take for you to discover the problem? What are you doing to contain the damage? Most importantly, what are you doing on behalf of the people whose information was exposed?

IDX can help on all these fronts—with proven and flexible professional services designed to reduce breach risks and costs, and offer your customers comprehensive identity protection for greater peace of mind.