Hurricanes are impacting some facilities in Florida, Georgia, South Carolina & Puerto Rico. Learn More
November 23, 2017
Companies have a 1 in 4 chance of experiencing a data breach today, according to the Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview.
While the costs of data breaches have decreased – the average total cost of a data breach decreased 10% in 2017 to $3.62 million, and the average cost per record decreased 11.4% to $141 – the average size of a data breach increased by 1.8% to 24,089 records.
What this all adds up to is the importance of incident response planning – and doing everything to rectify and reduce the impact of the data breach.
Here’s a step-by-step guide to what to do if your company experiences a data breach.
As soon as you become aware of a breach, alert your response team. The team lead should have decision-making authority, and report to the Board. An incident response team has been the top cost-reducing factor for the last three years according to Ponemon, reducing the cost-per-record by $19.30.
Identify the source of the breach as quickly as possible (was it caused by a faulty firewall, malware, a lost laptop, or a phishing attack?) and contain the compromise. This could mean isolating the compromised section of the network, finding a lost piece of equipment, or changing the access codes at the front door. What’s most important is determining what you can do to manage the breach – and doing it.
Now it’s important to determine how sensitive the breached data is, and what the real-time risks are. If it’s a ransomware attack, perhaps the ransomed data is just needed by employees to do their jobs, and there are backup files that they can be accessed. Theft of customer data, on the other hand, could lead to identity theft. Inform the police if appropriate.
The initial fix should address the different aspects of the breach but investigators should also do a root cause analysis to help prevent the problem from reoccurring. Forensics can be used to find this information.
Do any notification rules apply? Different privacy laws by country and industry have different notification requirements. For example, the Health Insurance Portability and Accountability Act HIPAA requires you to contact affected individuals no later than 60 days from discovery of the breach. For companies that handle confidential data belonging to European Union EU residents, the new GDPR will require notification within 72 days of discovery. The 2017 Online Trust Alliance encourages organizations to keep up-to-date on the regulatory landscape and to develop relationships with local regulators and law enforcement to expedite things.
Evaluate the incident response plan and implement policies, procedures, and technology that improve safeguards. This would include IT safeguards on all hard drives but also a review of how collected data is managed (a comprehensive Document Management policy is recommended). Monitor staff awareness of security, and provide on-going training. Partner with a document destruction company that has a secure chain of custody and provides paper and digital data destruction services.