Millions of customer and patient records are exposed every year as a result of ongoing data breaches that target every industry imaginable. A foolproof data breach management policy can help your team respond to these events, even mitigating some attacks from ever occurring in the first place—as long as everyone in your team is on the same page.
Building Your Data Breach Management Policy
Comprehensive data breach management really involves a combination of software and hardware tools, long-term strategies, and day-to-day system monitoring. It’s these elements that ultimately determine your success when responding to active incidents, and it’s these nuances that form the basis for your entire data breach management policy.
Building your own data breach management policy requires:
- Finding and assembling the perfect team amongst your current staff
- Identifying and containing data breaches
- Analyzing risks following a data breach
- Maintaining compliance after a breach
- Reviewing the incident
Consulting with a cybersecurity and data breach management expert throughout the process will also verify that your policy addresses all necessary facets.
Developing a Team-Oriented Strategy
The first step in the breach management process involves creating and developing an official breach management team. During this phase, you’ll focus on enlisting the right individuals, assigning duties, and prioritizing tasks. Then, when an incident does occur, everyone will have a clear understanding of their responsibilities regarding the data breach.
Finding the Right Teammates
Many of the steps taken before, during, and after a data breach can be accomplished by in-house IT staff members. However, there are times when external staff and third-party services are needed—especially in the case of a physical breach of security.
Large-scale and recurring breaches should be investigated by an independent data forensics team. They’ll be able to assist your in-house staff with evidence collection and analysis, forensic imaging, and remediation.
In general, important staff members to include in your data breach management team include:
- Information security directors, leaders, and support staff
- IT forensics specialists
- General and operations managers
- Human resources personnel
- Public and investor relations staff
- Legal staff
When responding to a physical data breach, you’ll also want to include your security staff members and local law enforcement personnel.
Establishing Responsibility and Prioritizing Tasks
Now that you have your team assembled, it’s time to continue your data breach management policy by creating a clear chain of command, establishing individual responsibilities, and prioritizing tasks. This ensures that your team is always ready to execute their breach response plan.
The overall rank and seniority of individual teammates should mirror that of your normal staff roster. In most cases, executive-level staff should assume leadership, directorship, or consultation roles.
When responding to a breach of your network or IT systems, it will naturally be your regular IT team that handles the brunt of the work. Make sure to prioritize and delegate individual tasks appropriately, as doing so hastens your entire response effort without bogging down your team members with too many responsibilities.
Responding to Data Breaches
Your team should stage their response as soon as a data breach has been detected or reported. Failing to respond promptly could result in the permanent loss of critical forensic data that would help trace the culprit or be used to help bolster your IT defenses moving forward.
Breach Identification
Start by identifying and documenting the breach as thoroughly and accurately as possible. This information will be invaluable in the later risk assessment and review phases, and it might be required for third-party compliance audits in the future. It will also provide a reference point throughout the breach management process.
There are two types of data breaches that can occur:
- Physical – This typically involves the physical theft of records, but lost, misplaced, or otherwise exposed records and devices are also at risk of a physical data breach.
- Electronic – What most people think of when it comes to data breaches, they involve unauthorized access to sensitive or confidential data.
In the case of physical breaches, you’ll need to document any persons—either internally or externally—who were present when the breach originally occurred.
For electronic data breaches, note any affected IT systems, including hardware and software systems. You’ll also want to note that method of entry, which could include advanced computer viruses, ransomware, malicious software, and other forms of cyberattack.
Breach Containment and Remediation
Your team needs to move quickly and efficiently to contain the breach and minimize the damage. Appropriate personnel must promptly secure the premises and restrict access—physically or digitally. The IT specialists on your team will then begin recouping or re-creating the lost data and performing general data breach management activities.
The containment process can be much more difficult in an electronic data breach. Although it’s easy to see records that have already been exposed, many hackers are known for releasing stolen data over days, weeks, or months. Moreover, some malicious software can remain dormant in your system until triggered.
Regardless, some critical first steps in electronic data breach containment include:
- Isolating the affected system, server, hard drive, or partition and limiting usage
- Requiring new and unique passwords from all users
- Implementing multi-factor authentication (MFA)
You need to effectively implement a total lockdown following a breach and assume all credentials or access may be compromised by default.
Risk Assessment
Some data breaches carry more inherent risk than others. For example, a hacker or malicious actor who views confidential data and immediately logs out of the system is still dangerous, but not as much as one who makes copies of these records and posts them online. Detecting an intruder who’s only taking a quick look may also indicate a forthcoming and more substantial breach. So, it’s important to examine each access violation and determine its exact risk.
First, consider the type of data involved in the breach. While all cases should be taken seriously, incidents involving encrypted records don’t pose as much risk as access to unencrypted files—assuming your cryptographic keys haven’t been compromised as well.
Next you’ll want to consider who is responsible for the breach. If it’s an internal employee, you’ll need to determine if the act was intentional or accidental. Cases involving an unknown entity should always be treated as high-risk.
Finally, take some time to consider any negative effects caused by the data breach—including the potential harm to your customers or patients, staff members, and brand. Any incident likely results in reputational damage, but your response and mitigation efforts can go a long way to restoring confidence.
Breach Notification
While notifying the public of a data breach is considered by many to be an act of common professional courtesy, all 50 of the United States maintain some form of breach notification requirement as part of the standard breach management process. Depending on your industry, breach notifications might be required for compliance purposes, too.
Most state-specific notification requirements are quite flexible when compared to those maintained by various industry regulations. Although most states simply require that your notice is given as soon as possible following the breach, some have a 45-day window in which to produce your data breach notification. Consult all appropriate government and industry timelines when building your data breach management plan to ensure they’re properly incorporated.
When maintaining compliance with industry standards, data breach notifications are required by the following governing bodies and regulatory standards:
- HIPAA – Healthcare plans and providers are subject to HIPAA’s Breach Notification Rule, which requires covered entities to notify affected individuals, the HHS, and, in some cases, a local media station as soon as is feasible and no later than 60 days.
- If fewer than 500 people are affected by the breach, notice to the Secretary of Health and Human Services (HHS) must be provided no later than 60 days after the calendar year’s close.
- SOC – Data breaches that occur because of an internal controls failure or due to an organization’s inability to meet their service commitments must be reported.
- GDPR – Citizens in the EU that may be affected as the result of a data breach require direct notification under GDPR guidelines.
- CCPA – Applicable only in the state of California, organizations must notify any state resident whose information has been compromised during a data breach.
Incident Review and Reporting
The final phase of your data breach management policy involves a comprehensive review and report of the entire incident. Use the initial reporting completed during the breach identification phase to inform your final review. During this step you’ll include remediation activities, any damage caused to the public or your brand, and ideas for improving your defenses in the future.
Protecting Your Organization From Data Breaches
Data breach management isn’t a one-time task. Instead, it’s an ongoing process that involves many different IT resources, dedicated staff members, and consistent system monitoring. For more information, or to find out how you can start building your policy right away, contact RSI Security today!