Developing a Data Breach Incident Response Plan
Data breaches and theft are reported daily, and hackers continue to find ways to attack data, in spite of tools and strategies to tighten data security. Every business should plan for the unexpected, including a data breach that can hurt your brand, customer confidence, reputation and, ultimately, your business.
It is important to develop an incident response plan to help you detect an attack and have procedures in place to minimize or contain the damage. Your plan can begin with being aware of the data security regulations that affect your business and assessing your company data security gaps.
Once you have your plan in place, test it often. Early detection of a breach is a key benefit of an effective incident response plan.
Be Prepared and Plan Ahead
- Establish a response framework. An effective incident response plan contains a framework for action where key decisions are made ahead of time and do not have to be made under pressure.
- Publish incident notification procedures. This information should be published for all personnel, including employees and contractors. It can also be part of new hire orientation and routine employee awareness activities.
What to Do if a Breach Occurs
- Validate the data breach. Be sure to examine the initial incident information and available logs to confirm that a breach of sensitive data has occurred.
- Manage the evidence. Carefully document all investigation and mitigation efforts. Any interviews with key personnel should also be documented. You should seek advice from your legal counsel on the approved methods for protecting digital evidence.
- Assemble your incident team, and begin investigating the breach. Your response team should also continue to monitor the status of the breach.
Decide on effective outside help. Any decision to involve outside resources, including law enforcement, should be made by consulting with executive leadership and legal counsel.
- Take action to mitigate the impact. Act quickly to reduce the impact as much as possible. You should work to identify and secure all affected data, machines, devices and systems, as well as isolate and preserve the compromised data. Be sure to change encryption keys and passwords immediately to prevent further access. Your network should be cleaned of malicious code, which may take a lot of resources depending on the size of the breach.
- Notify data owners. If your customers' information is exposed, affected individuals should be notified as soon as possible and within the timeframe of the federal, state and local laws. Your public affairs or media relations staff, in conjunction with executive leadership and legal counsel should word the notification in a straightforward and honest manner.
- Conduct "lessons learned" and tests for continuous improvement. Your company should always hold a "lessons learned" meeting after the recovery phase to refine your data security program and breach response strategy.