Top 6 Breach Response Best Practices from Leading Industry Experts

Data breaches strike organizations of every size and every industry—no one is immune. Verizon’s 2016 Data Breach Investigations Report covered more than 2,200 breaches, and the Identity Theft Resource Center recently reported that 34 million records have been breached since the start of the year. Even if you know these risks and prepare accordingly, a breach is still a time of high stress, tight deadlines, and competing priorities. It’s no wonder you may feel the pressure—your immediate response can have long-term consequences for your business, reputation, and customers.

To help you organize and prioritize, we asked industry experts for insights on preparing for and responding to a breach. Collectively, we have identified six best practices to help ensure positive outcomes for your organization and the individuals affected by a breach.

Report: When a data breach strikes, what’s the best way to respond?

Best Practice 1: Identify Risk and Prioritize Risk Mitigation Strategies

“An organization should continually work at raising its level of awareness and preparedness,” says Ted Augustinos, a partner at the international law firm Locke Lord. “If breach risk mitigation has yet to be considered, management should organize a thoughtful discussion involving senior internal decision-makers and experienced outside legal and technical resources about assessing risk and prioritizing risk mitigation activities.

He adds, “As these projects are not ‘set it and forget it,’ even the organizations most advanced in this area are continually looking for ways to improve administrative and technical safeguards by reassessing potential risks and threats, updating their data security procedures and technologies, revisiting the availability and adequacy of insurance coverage, revitalizing employee training programs, and practicing their incident response plans.”

Best Practice 2: Reduce Breach Risk with an Incident Response Plan

“Preparation is the best defense for handling a breach event,” says Dave Molitano, senior vice president at OneBeacon Technology Insurance. “This means organizations must have an updated and tested incident response plan that’s documented and communicated to those accountable for managing a response. In addition, the proper resources should be identified and readily available. And when a breach does strike, follow the plan and listen to those who are there to assist you.”

Best Practice 3: Protect Information Assets with Smart Security

At the recent Privacy + Security Forum in Washington, D.C., Rick Kam, president and co-founder of ID Experts, and Sean Hoar, a partner in the Portland, Oregon office of law firm Davis Wright Tremaine, identified best practices for mitigating risk. Among these were security strategies for protecting an organization’s data and systems, such as factoring security into decision-making at every department and level of the organization. In addition, organizations should avoid collecting non-essential data, keep only the information for which there is a legitimate business need, and only use it when required.

It is also important to implement the critical security controls appropriate for the enterprise. These controls are provided by the Center for Internet Security (CIS):

• Develop and maintain an inventory of all hardware and software.
• Use the most current versions of applications and operating systems.
• To the extent possible, automate security patching and continuously monitor for vulnerabilities.
• Segment your network, enable intrusion detection and prevention systems, and ensure all system logging is enabled.
• Secure data with strong encryption when possible.
• Control access to data on a need-to-know basis.
• Require complex passwords and use multi-factor authentication.
• Eliminate unnecessary data and processes.
• Conduct vulnerability testing and risk assessments.
• Conduct due diligence on all third-party service providers and require appropriate information security standards to be written into contracts.
• Provide employee training on network security awareness.
• Develop and test your incident response plan, which should involve key stakeholders and business units across the enterprise.

Best Practice 4: Get the Right Cyber Insurance

“Based on the cost of most breaches, very few organizations are able to handle 100 percent of the costs of a data breach on their own,” says Kimberly Holmes, senior vice president and cyber liability counsel at ID Experts. “It could be characterized as penny-wise and pound-foolish not to have some form of standalone cyber insurance in place in addition to other investments by the organization in IT security measures.”

Best Practice 5: Look Beyond Breach Notification

“After a breach hits, the response should not be limited to breach notification but should also focus on containment, corrective action, and preparing for the regulatory investigation and potential litigation to follow,” says Adam Greene, a partner in Davis Wright Tremaine’s Washington, D.C. office. “Too often, organizations are focused on the immediate response. They need to consider future consequences of the breach, such as what might happen in a court of law.”

Best Practice 6: Put Your Customer First

“It’s never pleasant for affected individuals who have reason to worry about, or actually experience, identity theft,” says Augustinos. “An organization that provides timely and precise information about the compromise, and offers services to assist affected individuals in resolving their personal issues, usually finds that the organization’s reputation, enforcement profile, and litigation exposure are affected less severely by breaches than organizations that respond in ways that are inadequate or late, or both.”

Breach Response Is Common Sense

Data breaches are frightening occurrences, but they need not be fatal to your business. Mitigating risk, having an incident response plan, protecting data, and providing excellent customer service—these are actions any organization can take, no matter your industry, size, or budget. It’s simply a matter of deciding what you value and prioritizing resources to achieve those goals.

For more insight into breach response best practices, refer to ID Experts’ just-released Customers Come First: A Data Breach Response Survey

Report: When a data breach strikes, what’s the best way to respond?