Responding to a Breach
Data breaches have plagued organizations ranging from SMB to Fortune 500 entities. Many organizations have conducted a form of due care, however, without an experienced security team lead by a Chief Security Officer, the likelihood of a breach is high. Even with a Chief Security Officer, while the likelihood of a breach decreases, there is still a chance of an enterprise data breach. Organizations must have a breach response plan tailored in the event a breach becomes prevalent.
What to know
1. Size - Organizations should have a clear understanding of the total size of the breach. For organizations with multiple branches, it is
imperative to have an internal forensics team or third party to assess this information before and after a breach.
2. Cause of breach - Is/was the breach the cause of a human error/lack of education or is the breach related to an internal or external exfiltration of data?
3. Regulatory Requirement - 47 states have laws stipulating who must be notified in breach situations. Financial institutions must notify consumers and regulators. Healthcare providers must provide public and industry notification of any data breach. Breached merchants must comply with all applicable state, federal and industry security and notification requirements.
4. Exposure - Organizations that suffer from a breach experience a consumer loss of confidence called reputational damage. Reputational damage may cause customers and business partners to shun away from your organization as the risk levels are too high.
5. Scope/Communication - All entities must understand and be able to substantiate the data type that was exfiltrated (SSN, credit cards, PII). After understanding the type of data that was exfiltrated, drafting a communication to the affected users and parties is paramount to the existence of your business. The how, what, when and where should be communicated along with the strategy the firm will execute to further protect the affected parties.