Data breaches seem to have become an almost everyday occurrence.
An effective response can be the difference between a graceful recovery and severe financial, reputational or legal repercussions.
How to survive a data breachBarely a week goes by without hearing of yet another instance of an organisation losing hundreds of thousands of personal records or having its database hacked into. Invariably, these stories make headlines in national news coverage. People directly affected can also expect to receive an email directly from the culpable/targeted organisation as well.
Every new horror story reminds us that it’s vital for any organisation that handles customer data to plan for this type of eventuality. This is not just a computer systems issue – the majority of the 'make or break' data leak moments take place outside the direct control of the IT function.
Even the best defended organisation can fall victim to a data breach. Hopefully, it won’t happen at yours, however here are five steps to take when planning for the worst case scenario.
1. Decide who does what
A data breach is a crisis. And all crisis management policies start with a clear set of statements that spell out:
- Who's in charge – and that nothing happens without that person's approval;
- Who will be in your Three Key Teams (see below);
- What playbooks and other documentation the teams will work to; and
- What time-frames or service level agreements your staff and/or external suppliers are committed to work to.
The goal here is to make sure all actions are deliberate, considered and calculated to minimise the impact of the incident. You don't want your technical responders isolating systems while your communications team is telling the press that everything is returning to normal.
2. Assess the impact of a data breach
It's important to understand how a data breach will impact your organisation – and how much of a hit the organisation can take. So evaluate, for example:
- The effect on productivity if the organisation has to fall back to paper;
- How this may affect its ability to meet its contractual or regulatory requirements; and
- What will happen if no preventative measures are taken.
Gather as much of this information as you can now as this will help you make quicker and better informed decisions – and achieve better outcomes – should you ever need to.
3. Know your regulatory requirementsA whole range of regulatory requirements apply specifically during a data breach. These vary according to the jurisdiction and some may even be contradictory. Take time to familiarise yourself with these and, if necessary, take advice from a specialist in the field.
4. Set up your Three Key Teams
Your Three Key Teams can be internal or external, so long as they can work to your agreed protocol and agreed timelines. The three areas are:
- Technical: breach specialists who can:
- Tell you what happened;
- Confirm what you lost and how; and
- Help you to recover impacted systems.
- Legal: specialists in this field who understand your legal requirements and obligations; and
- Communications: all breaches will call for communications management, whether it’s crafting emails to affected customers or preventing your Chief Executive from having a 'Dido Harding moment' on national television. Diana ‘Dido’ Harding was Chief Executive of the Talk Talk Group when, in October 2015, the company was subject to a cyber attack. The personal and banking details of up to four million of the company’s broadband and telephone subscription customers are thought to have been accessed in this attack. In an interview with the BBC, Harding was asked if the stolen data was encrypted. She answered: ‘The awful truth is that I don’t know’. Talk Talk’s share price nosedived.
5. Write it down and practice
The value in any plan is its ease of execution. The best crisis management plan in the world is utterly useless if it's locked in a drawer and never read. Ensure then, that everyone involved in your data breach plan maintains a fresh familiarity with it. Ideally, your Three Key Teams should be able to follow plans and playbooks while half asleep.
There’s no real substitute for practice, so schedule regular scenarios that simulate what might happen – and the more realistic the better.
Data breaches are increasingly common in large organisations. So, while prevention is better than cure, it’s also crucial to have an actionable plan for dealing with a breach. Centre this around your Three Key Teams – technical, legal and communications – and schedule regular practice scenarios to keep all relevant people familiar with their roles in the event of a data breach.