Just as important as it is to have a cybersecurity plan and protocols in place, it's critical to have a Data Breach Response Plan ready to go in case you need it. In the heat of the crisis, you don't want to forget critical steps or make mistakes. When a breach happens, the actions you take – or don't take - can have irreparable consequences.
First, make sure your cybersecurity monitoring and data collection comply with all applicable laws. Make sure your policies detail what you need to keep, delete, and/or process data if you capture it. You should get a professional assessment and a legal review of your policies and protocols. Once that's done, crafting your Data Breach Response Plan can help minimize the damage, aid recovery time, mitigate costs, and protect you legally.
Stronger Data Security - Safeguarding Rules and Regulations
In the U.S., 48 states, plus Guam, Puerto Rico, the Virgin Islands, and the District of Columbia, have state laws requiring companies or government agencies to notify individuals in the event of a security breach that results in the release of personal, identifiable information. In addition, there are federal laws governing data breaches and what steps to take in the event of a violation, especially with financial information or health information under HIPAA (Health Insurance Portability and Accountability Act).
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets federal privacy law for companies and details compliance, reporting, and investigations. Most provinces have their own privacy standards regarding data breaches.
The European Union's General Data Protection Regulation (GDPR), effective May 25, 2018, calls for more stringent requirements on safeguarding personal data. Companies that fail to comply face stiff fines and penalties. Compliance assessments are taken immediately after a data breach of personal information. That's where a robust Data Breach Response Plan will be essential. Even companies outside the E.U. may very well have to comply with the standards set if they do business or interact with E.U. residents, customers, or business.
Seven Steps To Crafting A Data Breach Response Plan
1. Clearly Define Objectives
It may sound simplistic, but you will need to define what constitutes a data breach that dictates action and then outline your data breach response. Consider multiple levels of engagement, with clearly defined actions to be taken for different types of intrusions. In this case, one size does not fit all. You should know what steps must be taken immediately to contain the breach and mitigate any further damage. There should be no question from your team of what to do when time is of the essence.
2. Create Your Team And Assign Roles
3. Set Key Performance Indicators
4. Professional And Legal Review
5. Create An Internal And External Communications Plan
6. Test, Test, Test
7. Review And Revise
Protect Yourself Against Breaches
The potential cost of cyber-crime globally is staggering. Microsoft pegs the risk at half a trillion dollars. In addition to a $500 billion price tag, the average company will spend $3.8 million to recover from a major data breach.
For nearly all companies, a breach of some sort is almost inevitable. Make sure your plan is detailed and regularly reviewed. Consider consulting with cybersecurity specialists about data breach response services.
Any solution starts with a conversation. Our team is ready to discuss your projects, immediate security concerns and confidential actions. We are looking forward to hearing from you.