As many companies have learned first-hand, data breaches and security incidents can arise at any time, and when they do, they can quickly consume an organization. Although companies often don’t get advance warning before a data breach occurs, you can better equip your organization to respond to the myriad of issues arising in the wake of a data breach with some thoughtful advance planning. One of the most important steps: develop a breach response plan.
Well drafted security breach response plans provide a playbook for an organization to follow when it learns of an actual or suspected security incident or data breach. Among the elements it should include:
- Response team members and contact information
- Procedures for analyzing and containing a potential data security breach
- Communication plan that considers all the organization’s stakeholders (customers, vendors, shareholders, regulators)
- Plan for notifying affected individuals
- Remediation measures to be taken following a data security breach
- External resources (legal, communications, IT security/forensics, and credit monitoring service providers)
- Credit bureau information
- Insurance information (if any)
In preparing a security breach response plan, your organization should ask a wide range of questions about its operations to help craft a plan that covers as many of the potential issues and scenarios as possible while tailoring the procedures used in the wake of an incident to the organization’s culture, business, regulatory landscape, customer philosophy and risk tolerance. We’ll start with a couple questions here, to be continued in additional posts:
What kind of personal information do we collect and from whom?
Personal information comes in all shapes and sizes and includes any information relating to an identified or identifiable person (employees, consumers, patients, etc.). Examples of personal information include: a person’s name, physical address, phone number, e-mail address, social security number, credit card numbers, driver’s license numbers, passport numbers, other ID numbers (whether generated by the organization or not), date of birth, savings account, checking account, insurance policy or other health account or financial account number or information, security codes, PIN, passwords, health or disability information, employee background checks, including credit reports, and any records that are derived from this information that relate to an identified or identifiable consumer
When preparing a response plan, it is critical to identify the various types of personal information collected by the organization and from whom it is collected. In undertaking this analysis, don’t forget to look at the personal information collected from employees as well as external audiences.
With this information in hand, you can then determine where the information is stored, in what form it is collected and retained (physical, electronic, etc.), who can access it, how long it is retained and how it is secured.
Which third parties collect, access or use our personal information?
A security breach plan should not only address incidents or breaches that occur internally, but should also plan for breaches involving third party vendors who are involved in the collection, use and storage of the organization’s personal information. Some obvious third parties include cloud storage vendors, data center providers, physical records storage vendors and third parties that provide processing, analytics and other data-focused services.
In addition to vendors with a significant role in handling personal information, there are many other third parties that, although easy to overlook, are just as important to identify. For example, an organization should identify consultants, contractors and vendors who have access to company systems (even if they are providing seemingly unrelated services like marketing, graphic design, accounting or legal services). Likewise, the list should include any vendors who have access to physical infrastructure used to collect, store or process data, including vendors who service systems and other computer hardware or vendors who supply and service mobile devices, tablets, medical equipment or other similar systems (even HVAC systems).
In each case, the organization should ensure it has appropriate contractual safeguards in place with each vendor to protect the information as well as clear requirements that the vendor notify the organization if it detects or suspects a breach involving or related to the information.
We’ll follow up with some additional questions to ask on the topic in upcoming posts.