How to: Create a data incident response plan
Data security breaches affect organizations of all sizes. Whether it is Zappos.com with its 24 million customer accounts or your local Subway franchise, no business is immune from the threat of a data security breach. Breaches occur in many ways — from sophisticated hacking intrusions to simple thefts of laptops and cellphones. Therefore, all organizations should plan for the possibility of a data security incident. How well your organization handles a potential breach may have long lasting financial, business and legal consequences. In creating a data incident response plan, your organization should:
1. Create a team
Your organization should create a team of individuals that will convene in the event of a significant data security breach. The team should include at least one member of your organization with broad decision making authority so that decisive action can be accomplished in a timely manner. In addition, your organization should decide whether the response team will include third-party service providers such as outside legal counsel, who can assist you with legal and regulatory compliance, and data forensic experts, who can assist you with investigation and mitigation of the breach.
2. Create a plan
Your organization should be prepared, in advance of a data security breach, to respond in an efficient and effective manner. In order to ensure an organized response, a response plan should address how data security breaches are investigated and reported internally. A comprehensive response plan should also ensure that, in the event of a breach, an assessment is made regarding the scope of the breach, the types of data lost or exposed, the number of individuals affected, the places of residence for affected individuals, and the likelihood that the data may be used to cause harm.
3. Determine notification requirements
Currently, all but four states have laws related to data security breach notification. Unfortunately, these laws are not uniform. States impose different definitions of protected data, covered entities, notification deadlines, safe harbors and penalties.
If your organization has customer data, chances are your organization also has data relating to individuals residing in states outside of your own. Therefore, your organization is likely governed by notification laws of several states. Federal law might impose additional notification requirements depending on your organization's industry. Finally, if your organization holds information of customers living outside the United States, notification of those persons may be required under their countries' own laws.
These requirements can be exceedingly complex. Your organization does not want to grapple with these issues for the first time in response to an actual data security breach.
4. Draft responses and determine how they will be communicated
Customers and clients may lose confidence in an organization when there is a data security breach. Prompt notification regarding any problems, however, might mitigate damage in this area. In the event of an incident, your communications to customers should include:
- A brief description of what happened;
- A description of the types of personal information that were involved in the breach (full name, Social Security number, home address, account numbers, zip codes, email address, passwords, etc.);
- A brief description of what your organization is doing to investigate the breach and mitigate potential harm;
- Contact information for affected/concerned customers who have questions regarding the breach;
- Steps individuals should take to protect themselves from identity fraud; and
- (If applicable) A description of the services your organization is offering in order to assist affected customers.
5. Determine when remedial measures are necessary
A data incident plan should evaluate whether remedial measures should be offered to affected individuals. If there is substantial risk of identity theft or other harm to customers and/or clients, your organization might wish to offer to pay for services such as identity theft protection and credit monitoring for a designated period of time (commonly one year) on behalf of those individuals. Moreover, even if the risk of harm is minimal, you might still wish to provide these services in an effort to offset any inconvenience and anxiety experienced by customers. These measures might assist in preserving customer loyalty and reducing potential liability related to the breach.
Most Recent
Most Recent
Comments