Data breaches are a serious concern for any organization. They can result in identity theft, fraudulent transactions, industrial espionage, and more.
A well-designed data breach response policy can help you limit the impact of a security incident. Following a series of steps, you can ensure your company can quickly respond to a security breach.
Identifying Information of Concern
To correctly identify information concerning data breaches, it is essential to consider the context in which the PII was collected, maintained, and used. This is particularly important when determining whether an individual may be identified using the PII.
For example, a list of personnel and their office phone numbers may not be sensitive in isolation. Still, they might be highly sensitive if the same individuals receive certain health benefits, such as mental health counseling. Additionally, a list of beneficiaries’ personal information and a social security number could be sensitive if a beneficiary uses their Social Security Number to open an account in the name of an individual who does not belong to them.
Breach Response Stakeholders should perform a case-by-case assessment of each data element to determine its sensitivity. For example, a person’s name, address, Social Security number, and date of birth are all PII.
Now, what is data breach response policy? An organization’s response to a data breach is outlined in a data breach response plan document. It describes what constitutes an information security and cybersecurity incident, who is involved in the plan, how to reach them, what to do in case of a breach, and what to do after that.
However, if these same pieces of information are not protected by an access control mechanism that would prevent unauthorized access to the report, they may be less sensitive. In these situations, Breach Response Stakeholders should encourage individuals to use multi-factor authentication or change their passwords as appropriate.
Once a breach is identified, the Breach Response Stakeholders should determine whether and when to notify individuals affected. This determination will depend on the assessed risk of harm, the context of the breach, and any other factors that may affect the decision.
Identifying the Potential Impact of a Breach
A data breach can have a devastating impact on your business. Whether a small business or a multinational company, a data security breach seriously threatens your financial stability and reputation.
While many data breaches result from malicious acts, unintentional incidents occur without the knowledge or permission of a business owner. Accidental information leaks may result from mistakes such as setting a private file to “public,” misconfiguring cloud storage buckets, or forgetting to password-protect a database.
Once a breach has been detected, your business should take immediate action to contain the situation. This includes contacting the affected financial institutions and working with your forensic experts to identify what information was exposed, who has access to it, and how to stop additional data loss.
The next step is to perform a risk assessment to identify secondary threats. This will involve collecting forensic evidence and performing a system and software assessment, including patching vulnerabilities or updating security fixes.
A layered defense-in-depth approach to cybersecurity is crucial to preventing future data breaches. Implement offline backups, test them regularly, and exfiltrate data only in a controlled manner.
Identifying the Requirements for Notification
When a breach occurs, the law requires that you notify affected individuals as promptly as possible. This includes individuals whose personal information was compromised and the state agencies responsible for monitoring breaches.
Notification may be delayed in certain circumstances, such as when a criminal investigation into the breach is underway or when a law enforcement agency determines that notification will impair their ability to conduct their investigative activities. However, the delay should be short and transparent.
It sets out several requirements for notifying affected individuals during a data breach, including informing them without undue delay and, at the latest, within 72 hours after becoming aware of the breach. You also must provide information about the type and extent of the breach and the remedial actions taken to deal with it.
Whether the breach is reportable or not depends on the context and scale of the data exposed and how likely individuals will suffer adverse consequences. For example, if someone’s address details are stolen, it would be unlikely that this would be a reportable breach, but if they have health information and could suffer financial loss, it would be a reportable breach.
As with any legal requirement, it’s essential to check both federal and state laws for the specific needs of your business and situation. Privacy & Security practice maintains a comprehensive chart of state breach notification statutes to assist with preparing for and responding to a data breach.
Identifying the Requirements for Reporting to Law Enforcement
Businesses and other organizations must report the incident to law enforcement when a breach occurs. This may be required by state or federal law, depending on the nature of the information compromised.
Most states require businesses to notify consumers when personal information is exposed. This may be done through a website or email, or phone.
Business owners must also consider whether the breach was intentional or unintentional. If the violation was willful, notice must be sent to affected individuals to alert them to potential identity theft and other financial harm.
In addition, the business must inform customers that it will provide them with a list of steps they can take to protect themselves against phishing scams and other threats associated with the breach. This list will also include information about how the business will contact consumers in the future.
The business must also develop or review a risk-based written information security program that considers the company’s size, its operations, the types of records it maintains, and the level of security the organization has in place. This risk-based approach can benefit small businesses needing more resources to secure sensitive data. This is especially true when the data breach involves credit card or social security numbers.