Digital Guardian, a vendor of information technology security solutions, recently invited me, as well as 29 other IT Security practitioners to comment on a security topic (made all the more relevant by the recent media coverage of several significant data security issues). The topic was: “What’s the most important next step you should take following a data breach?”
Here’s what I wrote.
Following a data breach, there’s really only two options:
You either implement your data breach response plan, or you resign, because if you don’t have a predefined plan you are doomed.
Implementing a data breach response plan can be a significant (and expensive) undertaking. It’s complex; it is absolutely not something that can be done by the seat of your pants.
What does a data breach response plan look like? Actually, to call it a plan is probably a misnomer; it’s really more of a template that allows you to quickly develop a customized response plan that is based on the specifics of the actual breach. The key to crafting this plan is to have a cross-functional team defined and ready to spring into action at a moment’s notice. In addition to a team lead, it should include representatives from the organization’s executive, IT, Legal, Risk, Privacy, PR/Marketing and Customer Service, as well as any third parties that may be required. And they need to be trained; to maximize their effectiveness they should have had the necessary education and training, and a number of dry runs through a series of different scenarios. (Don’t let the response to an actual breach be the first time that the plan has been executed.)
It’s important to remember that this is really an exercise in crisis management. Studies show that organizations can avoid longer term impact as long as the perception held by their customers (and shareholders) was that the issue was properly managed. Handle the crisis poorly and the recovery will likely take longer (or not happen at all).
One more thing to remember. The data breach response plan is a living document. As individuals change roles and as the organization evolves (mergers, acquisitions, divestitures etc.) the plan needs to change as well.
Care to see the other 29 opinions? There’s many that I agree with completely (and to tell the truth, a few that I think are a bit offside). You can find them on the Digital Guardians blog.