Four Steps for Managing a Data Breach Crisis
Whether you operate a small dental office or run a multinational corporation, the data breach response methodology is roughly the same. Learn how to manage a breach response from this post.
When a data breach occurs, how an organization responds and communicates to its customer, patients or stakeholders can be the difference between a potential class action lawsuit and an opportunity to reinforce a commitment to quality and customer care. According to Second Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute, the negative impact of a data breach can diminish healthcare brand reputation, tarnish perception and lead to precipitous declines in patient goodwill.
This all sounds good in the abstract. Data breaches are becoming more common than the cold, yet oddly, a surprisingly small number of all organizations have a plan for managing the response with the media. Whether you operate a small dental office or run a multinational corporation, the response methodology is roughly the same. What varies greatly is managing the depth of the situation and integrating the communication with the entire response process.
Let's break it down to four steps:
- Plan and Assess
- Messaging
- Outreach and Response
- Analysis and Further Action
To begin, our focus will be on step 1: Planning and assessing the breach situation.
When a breach happens, inevitably everyone panics. Having a plan in place before a breach occurs is like taking an aspirin before the headache turns into a migraine. Sadly, most organizations are still stuck with the notion that it "will never happen to us."
Every organization needs a plan that is customized to meet its needs. Regardless, a plan should include the following baseline components:
- Data intake from the CIO, privacy officers, legal and HR
- A full written description of the incident and the total affected population
- Review and analysis of pertinent documents including forensic reports and incident reports
- A list of notification requirements (Federal and State) that matches the affected population
- An action plan with timelines and responsibilities
Ideally, this plan "skeleton" can be developed outside of a breach incident and reviewed quarterly to make sure that it is still addressing organization needs. A good rule of thumb is to review the plan against industry trends and update it to include any new regulatory requirements.
With a plan in place, the next phase is messaging for both internal and external audiences. We'll address that in Part 2.
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.