The Importance of Data Breach Response Plans During COVID-19
For many companies, cyber attacks and data breaches have become an inevitable part of owning and operating a business. Although a data breach response plan is always recommended for businesses to have in place, the importance is heightened because of the additional challenges and obstacles that the COVID-19 pandemic has placed on businesses. It is challenging for companies to be prepared for cyber attacks during this time of remote work because of the different communication methods, the inability to gather as a team, and an increased reliance on technology.
A data breach response plan provides a step-by-step guide on how to respond to a data breach to mitigate potential damage, protect consumer confidence, and reduce recovery time. Preventing a data breach may be impossible. Preparation is a realistic way to protect your business by being in a position to limit the damage once a breach has occurred. If a breach is not handled properly, the effects can be devastating.
What is the Purpose of a Data Breach Response Plan?
Early detection of a cyber attack and resulting action can help minimize the damage a business suffers during a security incident. The longer it takes for a business to discover that a data breach has occurred, the more time a hacker has to steal data or take over your system. According to a study conducted by IBM and the Ponemon Institute, it takes an average of 279 days for a business to identify and contain a breach. The study reports that a breach that is not contained in under 200 days can cost $1.2 million more to remedy than a breach that lasts less than 200 days.
A key reason for a data breach response plan is to protect your reputation and customer trust. Businesses spend years building a quality brand and consumer trust. This investment of time and money can be quickly destroyed by a data breach. If a breach is not handled quickly, a business risks losing customers and damaging its reputation with the public. A quick and effective response to a breach shows accountability, which can help protect the trust of consumers and the public.
Drafting and instituting a data breach response plan can also protect your revenue. According to the IBM and Ponemon Institute study, the average total cost of a data breach is $3.92 million and the average size of a breach involves 25,575 records. Even for a breach that is relatively small-scale, the costs associated with a data breach can be devastating. When a breach occurs, not only is direct company revenue jeopardized, but incurring outside costs like legal services, forensic investigations, and regulatory fines can result in high, unanticipated expenses. If a business has a data breach response plan in place, it can help to ensure that the company makes a timely return to its usual operations and reduce external costs because of a breach. The longer it takes a business to respond to a breach and get it under control, the greater risk to sustain damages from the breach.
Data breaches place a great deal of stress on a business. Without a detailed plan, there is a greater chance for missteps and mistakes, which will increase the cost, damage, or duration of a breach.
A data breach response plan should be in place before a breach occurs so the business has the opportunity to test and revise the plan. Testing the plan allows the business to identify holes in security protection and fix any issues that may arise. Technology is always evolving and adapting, and so should your plan.
Elements of a Data Breach Response Plan
The first step in a data breach response plan is to assess and understand what type of data your business has and where that data is collected and stored. The better understanding you have of your company’s data, the easier it is to monitor sensitive information to quickly identify cyber attacks. Once you understand the type of data your organization has, you should draft and keep an inventory of what data is collected and where it is stored.
Next, your plan should define what constitutes a breach. It is important to determine which incidents require activation of your plan and which do not. For example, a phishing email may only have minor effects on your business and may not require activation of the full data breach response plan. To better assess an appropriate response, it helps to put a system into place to determine whether an incident constitutes a breach or if further investigation is required.
Third, you should identify key employees who are responsible in the event of a breach. A response team should be put into place comprised of trusted employees who are familiar with the business. The number of individuals on the response team can vary depending on the size and complexity of the business. The response team usually includes someone from the information technology, human resources, legal, risk management and senior management departments. Each member of the response team should be assigned specific responsibilities that utilize his or her expertise.
Internally, a system of communication in the organization should be implemented so employees know who to contact with information and who is responsible for each step. The business should determine if the breach is ongoing and take immediate action to contain it. The plan should include the immediate steps that need to be taken to mitigate the damage.
Externally, the plan should include a timeline so employees on the data breach response team know when to seek outside help and who to call. Outside consultants, including attorneys, law enforcement, recovery experts, and an insurance broker, should be identified in the plan.
If necessary, the business might have to notify customers, employees, and others possibly affected by the breach. Such notifications are often imperative to comply with the variety of data privacy and security laws and to protect the relationship between your business and its customers. The plan should include a communication plan for notifications, press releases, and any other statements that need to be made.
Finally, one of the most important parts of the plan is the ability to reflect on the actions taken during a possible breach incident and determine any areas for improvement. The response team should make sure to document every action taken during and after the breach. This documentation can be used to conduct a post-breach evaluation and have a record to rely upon if state or federal authorities decide to conduct any investigations related to the breach.
Breaches of Security During The COVID-19 Pandemic
As companies have transitioned to remote working environments during the COVID-19 pandemic, cybercriminals have taken advantage of the situation by using phishing emails to impersonate employees and by sending emails and creating websites with malware pretending to provide COVID-19 information, among other tactics.
If your business already has a data breach response plan in place, the plan should be reviewed with an emphasis on how the plan will be deployed when much of the workforce is located off-site. The current plan as drafted may not provide enough protection for a new work environment.
The state of operations during COVID-19 requires additional consideration when amending a data breach response plan. The plan should address concerns regarding the members of the response team being located in different places. To help alleviate those concerns, the plan should contain clear communication details with updated contact information. The plan should ensure that all contact information for external personnel that provide essential help during a breach is current.
Additionally, the communication channels that businesses are relying on to conduct work remotely may become compromised or have technical problems, which can be an additional obstacle when trying to a remedy a breach incident. Institute back-ups for response team members who may be less responsive than usual during an incident because of the remote working environment.
Koley Jessen continues to monitor the situation and stay current on cybersecurity issues in light of the COVID-19 coronavirus outbreak. If your organization has additional questions or concerns as the situation develops, please contact a member of the Koley Jessen Data Privacy and Security practice area. Koley Jessen team members are also available to draft any cybersecurity policies that your business may need to put into place.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.