How to Build a Data Breach Response Plan

data breach response planWith the high increase of data breaches happening every year, it is very important to protect your confidential information. Along with the security enforcement you have in place with your company, you should also have a data breach response plan. Dealing with the breach will be monumentally less challenging if you have a data breach response plan in place.

What you may not have considered about a data breach response plan are all the ways your data can be breached.  Your confidential information could be breached by malicious attacks, accidental mistakes, and employee incompetence.  Data can fall into the wrong hands during electronic file transfers, accessing lost or stolen devices, or as a result of hackers’ infiltration into a company’s servers.  Even sending an unsecured email could qualify as a data breach, depending on the information it contained.

The moments after a breach are the most crucial. How a breach is handled can drastically affect the outcome of the situation. That is why having an across the board data breach response plan can be so beneficial for your company.

Generally agreed upon steps include

  • Thorough, extensive documentation of events leading up to and immediately following the discovery of the breach
  • Clear and immediate communication with everyone in the company about what happened, and how they should respond to any external inquiries
  • Immediate notification and activation of the designated response team, especially legal counsel, to determine whether law enforcement and/or other regulatory agencies need to be involved
  • Identification of the cause of the breach and implementation of whatever steps are necessary to fix the problem
  • Development of messaging and deployment schedule for notifying those whose data was compromised, based on counsel from lawyers who will review state laws, compliance regulations, and other mandates affecting what the messaging must say and how soon notification must occur, as well as what compensation to affected victims should be provided

Five resources for developing a data breach response plan

If your company does not yet have a data breach plan in place, or if you’ve been thinking it might be time to update your current policy, here are five great resources that you’ll want to review.

Data Breach Response Guide 

Here is a comprehensive 30-page PDF from the Experian Data Breach Resolution Team, that includes how to handle each step of the response process, as well as information about specific kinds of breaches such as healthcare breaches.  It even includes an audit tool for you to use to check your current plan to make sure it’s as updated as it needs to be.

Security Breach Response Plan Toolkit 

Use this questionnaire from the International Association of Privacy Professionals (IAPP) to guide the development of your incident response plan.  Involve your executive and IT team so everyone can better understand all facets of the process.

BBB Data Security Guide 

Specifically designed for small businesses, the Better Business Bureau provides a series of articles and resources to help companies understand the issues surrounding data security, as well as how to build a response plan.

Model Data Security Breach Preparedness Guide

For those with limited access to legal counsel, The American Bar Association created this PDF for an overview from the legal perspective of how to prepare for a data breach.  It obviously isn’t a substitute for seeking advice from a lawyer who knows or can learn the details of your specific situation as well as the laws that apply in your state and industry.  However, it does provide some good general information that could help you launch a discussion with your legal team.

Data Breach Charts 

Baker Hostetler Law Firm made this chart to review how different states’ data breach laws compare.