Imagine you are the CIO of a large financial institution and you just discovered two unencrypted laptops stolen from your premises, which contained customers’ personal information (also known as ‘personally identifiable information’ or PII). The highly visible data breach is likely to result in bad public relations and potentially a class-action lawsuit on behalf of the individuals whose identities were stolen.
Are you, the CIO, prepared to contend with the sudden media onslaught, negative publicity and need to minimize further liability? Rather than be purely reactive, what steps would you have taken to prepare for and contain this breach?
With 2,013 confirmed data breaches in 2019, many experts advise that preparation is more critical even than prevention, given the ubiquitous but imperfect technology that surrounds us now. IBM’s Cost of a Data Breach Report found that the average total cost of a data breach is $3.92 million, and that cost will only increase in the coming years. That said, preparedness has been proven to pay real dividends. In 2019, companies who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.
This thought exercise should motivate everyone to perform what’s known in the technology world as a “table-top exercise” – in other words, pretend that a data breach just happened and force yourself to create a list of action steps you would take in response to a breach; then consider how you can put those in place before a breach happens.
Here are some general recommendations to keep in mind in order to prevent a data breach.
- Breach response: Immediately secure your vulnerable servers and physical infrastructure.
Preventative measures: Start securing and patching your vulnerable operating systems today or hire a service provider that has expertise in information security best practices and has achieved certifications such as SOC 2 compliance or ISO 27001 certification.
- Breach response: Assemble a team of security and legal experts to formulate a comprehensive data breach response that would then be communicated to either breach victims or the media or both.
Preventative measure: Form your team of experts now and have them trained and ready to respond in case disaster strikes. If you don’t have resources skilled in forensics, information security, information technology, or incident response, then consider having consultants or service providers nearby who can readily provide these resources in times of need.
Note that your team of experts would also help do a post-mortem after the breach happens, to help ensure this type of event has very little probability of recurring. If your current team doesn’t have the requisite privacy or data security expertise, then consider hiring outside sources who can help with knowledge transfer and communication management.
- Breach response: Review your administrative, physical and technical controls to determine the items that need the most improvement. You may also find that various controls are missing and repeatedly landing on your list of potential audit risks.
Preventative measures: Determine the effectiveness of your administrative, physical and technical controls now. Outside consultants or service providers can assist if in-house expertise is lacking for these controls.
Administrative controls include your documented incident response procedures or mandated employee training programs. Physical controls include locks on cabinets, security cameras on your premises, or physical fences to keep out unwanted intruders. Technical controls include firewalls, antivirus/anti-malware software, intrusion detection systems or software that reviews access logs
In addition, you should consider whether to implement measures allowing you to isolate parts of your network so that a breach of one server (or site) would not impact other servers (or sites). Speak to other companies that have experienced a breach to see if they have performed similar procedures.
- Breach response: Identify and notify relevant stakeholders. Even though all states have some form of data security breach notification laws, these statutes may vary based on what triggers the notification, and may have different exceptions to notification (the most common exception being there is no likelihood of harm arising from the breach).
Preventative measures: Create guidelines indicating who should be notified and under what circumstances. A service provider or attorney who is well-versed in breach notification statutes will be able to provide the information you need at this point.
The above represents only a small sample of the items you would consider in the event of an actual data breach. No organization can possibly prepare for all factors, but it’s best to prepare for a majority of these in order to show good faith efforts on your part and to avoid any appearance of impropriety or negligence. If you find yourself lacking sufficient in-house resources, there are qualified legal experts and service providers who are ready to assist you.
We encourage you to practice “Breach preparedness” (similar to “Disaster preparedness” common in many organizations today). With both scenarios, it’s not a question of “if”, but “when”.
CDS advises clients on a wide range of data management concerns. Learn more about our Advisory Services.