4 minute read

Why You Need to Be Agile When Responding to Data Breach

Remember Donald Rumsfeld’s distinctions of “known knowns,” “known unknowns,” and “unknown unknowns?” Similar complexities arise every time an organization responds to a data breach: some issues you will know about right away, other concerns will arise along the way in a rather predictable fashion, and still other challenges will come up when and where you least expect them.

Successful data breach response requires that your organization be quick to respond and adapt—no matter what unexpected issues arise. We see this need for agility in nearly every breach response we take on, as illustrated in the examples below.

Download: Criminal attacks are now leading cause of healthcare breaches

When it’s not clear who’s in charge

When a cyber-attack happens, the security team is in charge, right? If only it were so simple. Privacy and risk officers and compliance and legal teams certainly have to play key roles, but breach responses affect the whole business, and you will need a coordinated data breach response to manage enterprise risk.

As we discussed in a recent blog post, breach responses involve security, privacy, marketing, public relations, legal, and numerous other teams. That means multiple people across the organization have to be in charge in parallel, each owning a piece of the incident response.

Just as importantly, all these teams need to work together in a relatively seamless manner. When the legal team or the PR team learns new information, the facts have to be disseminated—fast—to all the other teams that might be impacted. You will also want to conduct regular reviews with all the teams to learn about progress, review priorities, and determine next steps.

When the numbers don’t add up

Digital forensics take place early in the breach response process, in part to determine how many records were breached. Maybe initially you think that 250 customer files were exposed, but two weeks later you find out it was actually a much larger breach of 2,500. This is a common issue, and it requires rapid updates to your breach response, from your call center to online communications.

This example also highlights the importance of using an agile model that divides projects into time-critical segments that each have a well-defined focus. A first-response team should focus on the digital forensics. And the first-response team should be tasked with notifying the entire breach response team as soon as they determine the breach is larger (or smaller) than anticipated.

When credit monitoring alone isn’t enough

As you learn more about the type of data that was lost or stolen and the populations that were affected, you may find that the common, knee-jerk solution—providing free credit monitoring solutions—is not sufficient.

As we discussed in detail in a recent article, the remedy needs to fit the crime:

  • Was protected health information exposed? Then your breach response could include an offer of free medical identity monitoring.
  • Were email addresses and passwords taken? Cyber monitoring can help.
  • Did personal information such as mortgages and marriages get exposed? You may want to add public records monitoring as a remedy.

This is another area in which it is critical that your breach response teams be agile. You may initially believe that credit monitoring alone will be sufficient, but three weeks into your response, you learn that protected health information was exposed. Pivoting quickly and adjusting your response to fit the crime could be critical to earning back the trust of your customers.

When your communications miss a key point

As soon as a data breach happens, your response team will start developing outbound communications that explain what happened, what your organization is doing to respond, what affected individuals can expect, what individuals need to do right now, etc.

Inevitably, your initial communications will need to be revised. For instance, your call center may receive calls from a dozen people, all with the same question or concern. If you have an agile process in place, you should be able to diagnose the issue and update your call center messaging accordingly. But you can’t stop there.

To ensure consistency across all your communications—which is critical to streamline your processes and impress both affected individuals and regulators—you will need to check that the same update is made everywhere. Every print, online, and in-person communication needs to carry the same messages, the same answers, and the same understanding of the facts. Again, cross-functional collaboration and teamwork is critical.

When unique subpopulations are affected

You may find that the breach impacted subpopulations such as children, non-English speakers, or now-deceased individuals. This is another reason that you may need to offer remedies other than credit monitoring, as well as updating your outbound communications.

The key is to address subpopulations in a sensitive manner that takes into account their unique needs and concerns. From Spanish-language communications to FAQs that address common questions for parents of affected children, the faster you can give customers what they need, the more frustration and rework you can avoid.

When media interest is greater than expected

Should the CEO apologize for the breach? How much detail should be given to the media? What if the details of the breach change following the forensics investigation—when and what do you tell the media? What should you say if an employee is at fault?

All these issues and more often arise during a breach response, and all require a deft touch, especially when your message has to shift quickly weeks after the initial story hits the papers and your goal is to protect the organization and those affected.

The bottom line

It is probably fair to say that no organization is fully prepared for a data breach. You may have policies and procedures in place—which are critical—but the unwelcome surprise of “unknown unknowns” is inevitable. That’s why it’s so important to be agile and flexible in your breach response.

Our breach response whitepaper offers additional information about how to improve your breach response process.

Download: Criminal attacks are now leading cause of healthcare breaches

About IDX

We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.