Get Your Breach Response Right the First Time

Every organization tries to provide a timely and accurate response to data breaches, but you’ve seen the headlines that show how so many well-intended responses go wrong:

• “IRS Data Breach Nearly Three Times Bigger Than Previously Reported”
• “Target Breach Much Larger Than Originally Reported”
• “53 Million Email Addresses Stolen in Home Depot Hack”

The list of misfires and misinformation goes on. And that raises the question of why so many organizations struggle to get breach responses right the first time, instead further undermining their brand with inaccurate or delayed responses.

Webinar: Follow The Leader: An Insider’s View of the CA Data Breach Report

One answer is simple: Breach responses are very difficult to get right, no matter which industry you’re in. Data breaches are discovered at unpredictable times, often without precedent, and many organizations are simply not ready to respond. It is human (and business) nature to avoid thorough disaster planning, instead devoting time and money to the never-ending stream of here-and-now challenges.

When data breaches inevitably do occur, some organizations try to handle the response in-house, tasking IT and other departments with responsibilities they’re not trained to perform. According to the latest report from Advisen Ltd., Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, 60 percent of respondents rely solely on the IT department to manage data response. IT on its own is generally not equipped to handle data breach compliance and regulatory requirements. In addition, the instinct is to move immediately from discovery of a breach to issuing a public response. But moving too fast risks errors like those listed above, as well as possible fines and class-action lawsuits.

A wiser approach is often to hire an outside contractor that specializes in breach responses and can lead a carefully planned, comprehensive, and timely response that considers all the tangled legal requirements, as well as the various needs of affected individuals.

The following five steps form the building blocks of a comprehensive breach response that can prevent the missteps that have undermined so many organizations’ breach response efforts.

Step #1: Incident Response Detection

The first step is to detect that a breach has occurred. This may occur in a variety of ways, including through regular business activities or an IT-led investigation. Organizations can also invest in incident detection software that can provide more systematic assistance in identifying breaches early—which is the first key to limiting damage and providing a timely breach response that wins back customers.

Step #2: Forensics

Instead of rushing to report a breach, organizations should first conduct a forensic analysis to determine who was affected, the type and source of the breach, the level of exposure, and other details. Timely and thorough forensic analyses help contain the damage, determine the scope of the breach, and plan the response.

It is often helpful to hire third-party experts to conduct forensic analyses because the systematic processes they employ can uncover details internal IT teams may not know to look for. Third-party reports can also be extremely useful in the weeks and months following a breach to reassure customers, the board, and regulators.

Step #3: Assessment

Thankfully, not all privacy incidents are notifiable breaches. To determine whether a given incident is a data breach that requires legal notification, organizations can use manual or automated solutions. The problem with manual evaluations is that they can be time-consuming, costly, and error-prone, leading to issues with over- and under-reporting of breaches.

Automated software such as RADAR®, can provide a more accurate and efficient way to evaluate the sensitivity and severity of each incident for breach determination and generates recommended notification guidelines to meet state and federal regulatory obligations.

Step #4: Gather Information

Before going public with a breach response, it is critical to gather even more information about who was affected, including demographics. Using those details, organizations can develop tailored breach responses that address the specific needs of affected populations such as children, non-English speakers, and deceased individuals.

Imagine what a difference it makes to affected individuals when they receive customized notification letters, and when the organization’s website and call center services are tailored to their needs, with easy sign-up for the enrollment of identity protection services.

Step #5: Respond

Only now, after working through each preceding step, are organizations ready to respond. A vendor that provides comprehensive breach response services should be able to take care of the earlier steps, as well as the response—including drafting notifications, developing call scripts, setting up breach websites, and enrolling affected individuals in the services they need to recover from the breach.

Organizations can’t undo a breach after it happens. But with the right assistance, you can respond to data breaches with information that is thorough, accurate, and delivered to regulators and the public in a timely manner. That will put you on the road to true recovery, and winning back customers and credibility.

Webinar: Follow The Leader: An Insider’s View of the CA Data Breach Report