Written by Paul Diaz, VP of Policy, Public Interest Registry
This post is part of a Public Interest Registry series called “NGOs and Data Security” aimed at providing educational insight to noncommercial internet users around different data and information security themes.
If you’ve read Part 1 of this blog series – NGOs and Data Security: Best Practices for Data Breach Prevention – you know that no matter how robust your security defenses may be, no company is infallible when it comes to data breaches. Assuming you’ve already put in place prevention measures, the next step is to create a comprehensive action plan so your organization is equipped and ready should you fall victim to an attack. Below are some elements to address in your data breach action plan, but remember: your plan should always be customized for your organization, the types of data at risk, the security systems and processes you have in place, and any legal requirements for your jurisdiction.
Elements of a Data Breach Action Plan
- Roles and Responsibilities. It’s important to have a clear understanding of the internal stakeholders who will need to spring into action should a data breach occur. Your IT team or representative will be critical to containing the breach and should have a clear response process in place to quickly assess the scale of the attack and prevent further damage. Other internal departments that may need to be involved include HR (should employee information be at risk), legal (to determine legal implications of the breach), communications (to discuss how to communicate with all relevant parties), as well as your executive leadership team. When a breach does occur, every minute is critical so it’s essential to clearly assign decision-making responsibilities and work to keep the response team as lean as possible.
- Data Sensitivity. Every organization should understand the type of data at risk if your system is hacked. Do you have access to personally identifiable data such as health records, financial information, or social security numbers? Is your data encrypted? Your action plan should include a clear breakdown of the types of data that could be compromised in an attack, along with data levels of sensitivity. Conducting this risk audit for each type of information will allow you to respond more quickly in the aftermath of a breach.
- Legal Responsibilities and Implications. Be sure your legal responsibilities are clearly outlined in your action plan, particularly as it relates to consumer and government notification. Also, it’s important to be aware of any jurisdiction-specific data breach laws and industry-specific notification requirements from regulatory bodies like the securities and exchange commission (SEC) or laws like the Health Insurance Portability and Accountability Act (HIPPA). You should always commit to acting in the best interest of those who had their data stolen, but also know your legal rights as an organization, the rights of your employees as well as the rights of those affected by the breach.
- Communication Strategy. Have a clear list of who should be notified immediately once a breach happens (internal stakeholders and decision makers) as well as the subsequent parties who should be made aware as more information surfaces. One communication best practice is to identify and train a company spokesperson who will be comfortable speaking on behalf of the organization. It’s also advisable to develop draft notification emails, media statements and FAQs to incorporate into your plan, so if a breach does occur, the materials can be quickly customized and shared with relevant stakeholders. In addition to materials, think through the channels that will work best for your customers. In some cases, email may be the most effective, but if your organization has a strong social following you may also want to engage on those platforms as well. Mishandling the communication and notification process of those possibly impacted by the breach could cause significant harm to your organization’s reputation and financial well-being. Be sure you appropriately invest time in your communications strategy in advance.
- Scenario-Based Training. Your action plan will be most useful if it goes beyond outlining process and includes possible scenarios and best practices for each hypothetical situation. Include a few examples of possible breaches and how best to respond. It may be best to run through a tabletop exercise at least once per year, with all the decisionmakers who would be involved in the event of a breach, to walk through various scenarios and discuss the response plan as a team. You can also use this as an opportunity to highlight a few companies/organizations who handled a recent breach well, highlighting what worked. Schedule run throughs of the scenarios to get your IT specialists used to responding quickly to a crisis and your spokesperson ready to answer tough questions from employees, investors and members of the media.
Once your action plan is developed, don’t make the cardinal sin of putting it aside and letting it collect dust. Schedule regular trainings for employees and be sure this action plan is reviewed by appropriate team members from the C-suite down. It’s also critical you revisit and update the plan on a regular basis to reflect new threats that may arise in this rapidly evolving security landscape.
Check back soon for Part 3 of this series, which will provide recommendations for how to respond in the aftermath of a breach.