If you’re working on organizational cybersecurity, one of your top goals is likely putting a system in place that will help identify data breach incidents as quickly as possible, whether that data is inside your organization or with one of your vendors. Of course, simply knowing about a data breach incident isn’t enough—you have to take action immediately, or you could risk major data implications.
Enter a data breach response plan. A policy like this outlines every step you should take if you suspect your data has been compromised—and every company should have one.
Keep in mind that data breach response plans can be tens to hundreds of pages long (depending on the size of your organization and the criticality of your data). It may go into a great deal of detail on infrastructure and unique scenarios your organization could face. Because these details are so particular to the organization, following an exact data breach incident response plan template isn’t advisable. But there are a few things your plan must include—and we’ve listed those below.
4 Things You Should Include In Your Data Breach Response Plan
1. The type of data that constitutes a data incident.
The first thing you need to know is how your company defines a data incident or breach that would illicit a response. It is personally identifiable information (PII)? Healthcare data? This depends entirely on your organization, but may include the following:
- Incidents or breaches that involve legally protected information. If you’re keeping a lot of customer information (social security numbers, credit card numbers, health information, or other PII) a lot of state laws and international laws require you to notify the victims when their information has been compromised.
- Incidents or breaches that represent a material loss to the company. This category of data may not necessarily require public notification but is still just as vital to monitor. Material losses look different in every business but may appear as an operational disruption, a distributed denial of service (DDoS) attack, a compromise of sensitive or confidential information, or a compromise of trade secrets or intellectual property. Keep in mind that this material loss may be on a vendor’s network. For example, the disruption of a third-party service provider could impact your supply chain so your goods can’t be delivered.
2. The parties responsible during a data breach.
There are a number of responsibilities that need to be fulfilled once a data incident is acknowledged—and your data breach response plan should outline precisely who takes these roles on. This is a critical element to detail, as it impacts how you may handle the escalation process (see #3). Your data breach team usually includes at least one individual in each of the following areas:
- IT/IT Security: This team may have helped catch the data breach and will likely step in to aid your forensic investigation team.
- Legal: The legal department will likely need to step in, particularly if protected information was involved in the data breach.
- Communications: The communication team may step in to help with anything from press releases to crisis management.
- HR: If your employee’s information is involved in a data breach, HR may need to step in.
- Executives: When the data breach is of a certain scale, key company decision makers may need to be involved.
3. The internal escalation process.
When a data incident occurs on your network, you need a rock-solid process for escalating the incident up through your organization. For example, if an employee—let’s say, someone who works in the IT department—sees something that looks off, they should use the data incident response plan template to see who they should bring their concerns to. The IT employee may alert the IT security manager, who may in turn alert the IT director, who then decides whether the event needs to be escalated up the chain into different departments (i.e., legal, HR, etc.).
4. The external escalation process.
Aside from escalating a data incident inside your organization, you also need to include the external escalation process in your data breach response plan. Include the following details:
- When to involve help from the outside. Your plan should designate precisely when outside involvement should be brought in (or at least considered).
- What kind of help to involve from the outside. For example, you may want to map out when a forensic investigation team is needed to deal with an IT security issue. They may help you determine what happened to the data that was compromised. Or you may need to bring in a “breach coach”—most often a lawyer or consultant who can cover some breach discussion beneath attorney-client privilege. This person can coordinate responses from forensics, decide whether or not you need to notify insurance company customers, determine legal obligations, and more.
Practice Makes Perfect
It’s very important to practice your data breach response plan regularly. You do not want your first try to be a real crisis! Conducting tabletop exercises to discuss simulated emergency scenarios is a great way to refresh those involved on their duties and obligations, the steps they should take both individually and as a team, their role in the escalation process, when to notify specific organizations or individuals outside of the company, and more.
Check out our free white paper for more information on how your organization can reduce cyber risk by embracing responsible cybersecurity practices throughout your network. It analyzes the security posture of many organizations and looks at how cybersecurity practices can offer insight into whether a breach may occur.