Data breach reports have become a staple of the daily news. Companies of all sizes and across all industries are reporting breaches—whether caused by sophisticated third-party hackers or simple human error, such as a laptop stolen from an employee’s vehicle. The Privacy Rights Clearinghouse publishes a chronology of reported data breaches. The list includes over 4,440 reported data breaches from 2005, which averages out to more than one reported breach per day. The reality is that data breaches will continue to happen; so one day soon your company, like the others on this list, may need to report a breach to its customers and regulatory agencies. If your company does not yet have a formal written data breach incident response management plan in place or your current plan has not been reviewed and updated in awhile, it may be time to focus on your company’s data breach preparedness. As Benjamin Franklin noted, “if you fail to plan, you are planning to fail.”
Data Breach Preparedness Metrics
A recent study completed by the Ponemon Institute, LLC, “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness,” notes that more companies are reporting data breach incidents. In 2013, 33 percent of respondents said their company had experienced a data breach involving the loss or theft of more than 1,000 records in the past two years. In 2014, that percentage increased to 43 percent. Sixty percent of the companies that had experienced data breaches also reported their company had experienced more than one data breach in the past two years.
The Ponemon study indicated that more companies are putting data breach response plans and teams in place. In 2014, 73 percent of the companies surveyed had such plans in place, up from 61 percent in the prior year. Seventy-two percent of companies have also assigned teams to lead data breach response efforts, up from 67 percent last year. Despite this planning, only 30% of respondents said their companies are “effective” or “very effective” in developing and executing a data breach plan. Only 22 percent of respondents with data breach plans in place said their organizations review and update these plans at least yearly. Review a copy of the Ponemon Institute’s study, “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness.” This same study reveals that responding to a data breach costs an average of 10 times more if the company does not have already have a data breach response plan in place before the data breach occurs. After all, when a significant data breach hits, the company must scramble to comply with the varying short-fuse customer notification and regulatory reporting requirements of each state (as well as federal requirements in some instances), all while trying to correct the data vulnerability and manage a serious public relations firestorm and the almost certain onset of data breach class action litigation. This is not the time to be trying to put together a response team from scratch or trying to learn what the reporting and notification requirements are in the first place.
Preparing a Data Breach Plan
Although every company’s data breach response plan will be unique, there are certain issues all companies should consider in developing or updating a breach response plan. Below is a top 10 list of matters to consider:
Number 1 – Plan and Paper
Your company should have a written data breach incident response management plan and cross-functional team in place prior to any data breach. The plan should identify the members of the team, including both in-house and outside personnel. This team should be “on call” and immediately activated post-breach.
Forty-nine percent of the respondents in the Ponemon study indicated that their companies provided no training on how to respond to questions about a data breach incident. Your company’s breach response plan should include templates of letters informing customers of the breach, customer service and call center scripts, and press releases. This prior planning will help minimize your company’s post-breach response time to ensure compliance with applicable statutory or regulatory notification requirements.
Number 2 – Know the Lay of the Land
Your company should understand the federal and state privacy laws that apply to your business and your customer footprint, as well as the representations made in your current customer privacy notices, including any separate privacy disclosures provided to website visitors. Your company should also conduct periodic risk assessments and adapt your privacy compliance program and breach response plans to reflect these changing risks.
Data breaches can result in class action lawsuits filed by impacted customers, regulatory investigations, and negative local or national media press coverage. Your response plan should address these post-breach risks.
Number 3 – Reengineer Internal Engineering
You cannot respond to a data breach if you do not know about the data breach. Your company may want to establish an internal data breach hotline or some other reporting mechanism to ensure that, as soon as a potential breach is discovered, this news can be quickly reported to your Chief Privacy Officer, Chief Information Security Officer, or other responsible privacy person.
Number 4 – Enhance External Engineering
Breaches also happen at third-party vendors and business partners, so you may need to enhance your vendor/partner management governance. The Ponemon study noted that the use of standard or model data security and breach contract terms with third parties, vendors, or business partners has increased. In 2013, 65 percent of respondents said their company had such terms in place and that number increased to 70 percent in the current survey results.
If you have not already done so, you should revise your contracts with third-party vendors and business partners to ensure they are required to have a data security program in place and to immediately notify you of a breach. The contacts should also permit you to periodically audit your third-party vendors and business partners for compliance with these terms—and you should audit your vendors and partners to ensure compliance.
Number 5 – Adopt Holistic Privacy Compliance Approach
Privacy issues permeate your entire business, so you should incorporate privacy compliance into all business functions, business lines, and functional departments.
Number 6 - Tone at the Top
Senior management should affirmatively make privacy compliance and data breach preparedness a clear business priority and play an active role in assisting the company in preparing for and responding to data breach incidents. The Ponemon study noted that only 36 percent of the companies surveyed indicated that their leadership team had requested to be notified as soon as possible of a material data breach.
The person within the company responsible for privacy compliance must have buy-in and authority from senior management. If your company does not currently have a Chief Privacy Officer, Chief Information Security Officer, or other responsible privacy person, consider adding someone in this role, even if that person wears other hats, and ensure that person has access to and reporting requirements to the senior leadership team.
Number 7 – Increase Education and Training
Your company should continually educate all employees, including senior management, on the importance of safeguarding sensitive data and the risks of data breaches. One of the most recent breaches reported in the Privacy Rights Clearinghouse list resulted from the theft of a laptop from an employee’s vehicle. Intentional or inadvertent data breaches by employees will always remain a risk, but proactive training can reduce this risk.
Number 8 – Conduct Periodic Reviews and Simulations
Your company should establish a periodic review schedule of your data breach incident response management plan to ensure the plan reflects the current security risks facing the company as identified in your periodic risk assessments. You may want to consider staging breach response simulations. Seventy-seven percent of respondents in the Ponemon study indicated that such “fire drills” were a key step companies should take to improve breach responses.
Number 9 – Engage External Help
Your company should establish relationships with credit-monitoring services, law firms, breach investigation consultants, public relations firms, and others prior to a data breach. This prior planning will help minimize response times after breach incidents, and facilitate rapidly implementable voluntary remediation options such as free credit monitoring or identity theft protection to affected customers. Such measures, if promptly made available, can significantly moot or mitigate exposure on the litigation front.
Number 10 – Consider Financial Impact of Breaches
Your company should budget every year for the cost of responding to data breach incidents—and for the cost of preparing for data breaches. You cannot postpone notifying your customers or regulators, where required, of a data while your breach incident budget request winds its way through your formal off-budget funding approval channels.
You may also want to consider obtaining a cyber insurance policy. The Ponemon study noted that only 10 percent of respondents in 2013 indicated their company had purchased a policy. In 2014, this percentage more than doubled to 26 percent.
Advance planning can help reduce the high cost of data breaches and the time it takes your company to respond to its customers and regulators after a breach incident. The current per record cost of a data breach averages $201. As reported in the Ponemon study, companies incurred an average cost of $3.5 million in responding to a single data breach incident. In a security filing in August 2014, Target reported that the costs associated with its data breach had reached $148 million as of the second quarter of 2014. Your company may not experience a Target-sized breach, but the costs of responding to one or more smaller-scale data breaches can still impact your company’s bottom line.
The Ponemon study identified certain factors that influence the cost of responding to a data breach incident. The study noted that, among other factors, a company that has a formal incident management response plan in place prior to the incident can reduce the average cost of a data breach by as much as $17 per record. Since advance planning pays off in the end, it may be wise to invest some time and money in comprehensive breach response planning today. You may not only save money, but a prompt and proactive data breach response strategy will go a long way in maintaining the trust of your customers after a breach.