In Pictures: 10 mistakes companies make after a data breach
Michael Bruemmer, vice president of Experian Data Breach Resolution, outlines some the common mistakes his firm has seen as organizations deal with the aftermath of a breach during a presentation for The International Association of Privacy Professionals (IAPP) Privacy Academy.
How to weather the storm
The aftermath of a data breach, such as the one experienced last month by Adobe, can be chaotic if not dealt with properly. The result of such poor handling could see organizations facing a hit to reputation, or worse, financial and legal problems.
No external agencies secured
Sometimes a breach is too big to deal with in-house, and the type of breach may make that option an unwise one. So it's best to have external help available if needed. Incident Response teams, such as those offered by Verizon Business, Experian, Trustwave, or IBM (just to name a few), should at least be evaluated and considered when forming a business continuity / incident response plan.
"The process of selecting the right partner can take time as there are different levels of service and various solutions to consider...Not having a forensic expert or resolution agency already identified
No engagement with outside counsel
"Enlisting an outside attorney is highly recommended," Bruemmer said.
"No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated."
So unless internal resources are knowledgeable with all current laws and legislations, then external legal counsel with expertise in data breaches is a wise investment.
No single decision maker
"While there are several parties within an organization that should be on a data breach response team, every team needs a leader," Bruemmer said.
There needs to be one person who will drive the response plan, and act as the single source of contact to all external parties. They'll also be in charge of controlling the internal reporting structure – in order to ensure that everyone from executives and individual response team members are kept updated.
Lack of clear communication
Related to the lack of a single decision maker, a lack of clear communication is also a problem. Miscommunication can be the key driver to mishandling a data breach, Bruemmer said, as it delays process and adds confusion.
"Once the incident response team is identified, identify clear delegation of authority, and then provide attorneys and [external parties] with one main contact."
No communications plan
Sticking to the communications theme, another issue organizations face is the lack of planning as it relates to the public, especially the media.
"Companies should have a well-documented and tested communications plan in the event of a breach, which includes draft statements and other materials to activate quickly. Failure to ingrate communications into overall planning typically means delayed responses to media and likely more critical coverage," Bruemmer explained.
Waiting for perfect information before acting
Dealing with the aftermath of a data breach often requires operating with incomplete or rapidly changing information, due to new information learned by internal or external security forensics teams.
"Companies need to begin the process of managing a breach once an intrusion is confirmed and start the process of managing the incident early. Waiting for perfect information could ultimately lead to condensed timeframes that make it difficult to meet all of the many notification and other requirements," Bruemmer said.
Micromanaging the Breach
"Breach resolution requires team support, and often companies fail when micromanaging occurs. Trust your outside counsel and breach resolution vendors, and hold them accountable to execute the incident response plan," Bruemmer said.
No remediation plans post incident
There should be plans in place that address how to engage with customers and other audiences once the breach is resolved, as well as the establishment of additional measures to prevent future incidents.
"If an organization makes additional investments in processes, people and technology to more effective secure the data, finding ways to share those efforts with stakeholders can help rebuild reputation and trust. Yet, many fail to take advantage of this longer-term need once the initial shock of the incident is over," Bruemmer said.
Not providing a remedy to consumers
Customers should be put at the center of decision making following a breach. This focus means providing some sort of remedy, including call centers where consumers can voice their concerns and credit monitoring if financial, health or other highly sensitive information is lost.
"Even in incidents that involve less sensitive information, companies should consider other actions or guidance that can be provided to consumers to protect themselves," Bruemmer said.
Failing to practice
"Above all, a plan needs to be practiced with the full team. An incident response plan is a living, breathing document that needs to be continually updated and revised. By conducting a tabletop exercise on a regular basis, teams can work out any hiccups before it's too late," Bruemmer said.