Answers to 3 Common Data Breach Questions
I am often asked what companies should do when they suffer a data breach. Here are my quick answers to the most common questions I hear. Stay tuned for Part 2 coming soon.
What should companies do in the first 24–72 hours after discovering a breach?
First is triage and fact finding. Identify the list of critical questions at the operational, legal, and PR level. Is the right team in place to drill down to absolute affirmative or negative answers to critical questions? For each question, determine and agree on the steps you will take to obtain each answer. Figure out if it’s possible to utilize the failure to improve impacted relationships by being “intelligently transparent.”
To do this, you should share the critical questions, your approach to finding the answers, and the estimated timeline with your stakeholders. Set the expectation that this process always takes longer than what’s ideal and be prepared for impacted stakeholders to become antsy.
What is the game plan moving forward in the weeks and months to come?
It is important to set expectations with your response team. Warn them that around day six of the investigation, their superiors will become exceptionally frustrated with the amount of time that it’s taking. In our experience, when the right team is assembled with the right leadership, it’s usually the CIO who has the best understanding of the dynamics of legal risk, operational risk, and technology. Use your list of critical questions as the basis for your plan going forward.
Should organizations already have a game plan prepared before a breach occurs?
Yes! Most companies think they have a breach response plan. They usually find that it breaks down when details arise. For example, if the PR team hears from the IT team that a breach impacted 100 users, but the data accessed was limited to email addresses, they draft a strategy based on that information.
Getting that kind of information wrong in the first 48 hours happens in over 75% of breaches. This causes significant impact to the PR messaging strategy and can cost brands more in the loss of customer trust than if they had gotten the facts right in the first place. Companies should have a breach response plan in place, but they need to make sure the plan fully covers their anticipated and actual needs.
Think through this approach, and challenge your internal teams to determine if they would truly be ready for a fully integrated approach to PR crisis response with inline incident response & forensics.
Before an incident:
- Implementation configuration and management of data breach detection and monitoring tools
- Formal gap assessment between expectations and reality
- Table top exercise to demonstrate and evaluate impact of gaps
- Implementation of new capabilities
- Table top exercise to show the improved capabilities
- Ongoing threat monitoring and alerting
- Weekly risk landscape updates
- Monthly threat reports
During an incident:
- PR led response management (as they are the one with the microphone) with integrated expertise for interpreting and validating the approach and data that comes from IT or other forensics / IR experts.
- Capability to take over the incident response and forensics efforts if needed
- Post-breach after action review and remediation planning for improvements before next breach