Would you know how to react if a data breach happened to you or a client?

It was just revealed that several suburban school districts have suffered a data breach through the Pearson testing system that they use.  The student information that was stolen was their full name and date of birth, while staff had their emails taken from the testing system.  Luckily, no social security numbers, addresses, or bank account information were entered into the system.

When we think of data breaches, we think of the big names like Home Depot, Target and Equifax.  However, more than half of the breaches that occur are on small businesses, and recently, major data breaches involving ransomware have happened across the country to municipalities, affecting entire states and cities. 

Texas is the latest state to suffer major ransomware events. Dozens of its cities have been told to pay ransom money in order to have their systems or files restored.  In fact, it’s estimated that the data breach on Baltimore alone cost the state of Maryland $18.2 million.  The medical field is also facing major data breaches lately, with the number of breaches in 2019 already doubling the amount of breaches in 2018.

It is important to have a procedure in place should a data breach occur.  If you have an incident response plan, less time will be wasted in “panic mode” and will instead be spent on productive tasks, such as identifying what was taken and securing the data.  Listed below is a top ten list of things that every company should consider to prepare for a breach.

Have a team in place.  Sounds like a no-brainer, right?  Most companies have not taken the time to assemble a data breach response team, and this failure increases the risk of costly missteps.  Identify a team and task them with carrying out a plan. The team should be comprised of members from legal, HR, communications, IT, and corporate security teams as well as outside counsel, insurance broker, and vendors from computer forensic, remediation, and notification specialist firms.  Keep your phone trees up to date, and have back-up team members selected.

Communicate with the team.  Provide the team with the written plan and have regular communication.  Update team members with industry developments, emerging case law, and breach response trends.

Train the team.  Make sure the members of the breach response team are fully up to speed on the legalities of breach response including notification requirements, data spoliation risks, and regulatory laws.  Keep training records as evidence of your best efforts to have a competent team in place. This documentation can help the plan survive outside scrutiny if a breach occurs.

Negotiate now.  Have master service agreements in place with your key vendors, (breach response notification specialists, call centers, credit reporting agencies, etc.).  Negotiate the price (and especially indemnification language!) now, not in the heat of the moment.

Practice!  Stage “tabletop” exercises at least twice per year on a wide-array of breach event scenarios (loss of consumer information, trade secret breach, website hack, etc.). Maintain records of these practice sessions.  Practicing the plan not only increases its effectiveness, but it also demonstrates how serious you are about protecting data, rendering the plan more defensible.

Time is not your friend.  If your client suffers a breach, move fast to respond with your investigation, forensics, and notifications.  Companies that delay will pay more, particularly for fines, litigation, and settlements. As you know, some regulatory reporting “triggers” are time-sensitive, and the clock typically starts ticking once you are reasonably aware of a breach.

Time for a CSO?  Data indicates companies with a dedicated Chief Security Officer tend to pay less for breach response costs.  Why? Those firms are more likely to have good controls in place. Your firm doesn’t have to be large to warrant a CSO. Smaller firms with limited resources can contract with a CSO on a part-time basis. Have this conversation internally before an event occurs.

Do an assessment!  Identify and inventory your company’s most valuable data.  Consider selecting an outside partner to do a full IT Security Assessment.  Remember, the assessment should address not only your information security hardware and software, but also those components of a security plan that focus on people, processes, and policies.  An assessment is a lot cheaper than a breach. Do it.

Clean the dirtiest room in the house first.  Some fairly basic security measures will yield a huge ROI on your risk-reduction investment.  Laptop computer encryption, for example, is cheap, extremely effective, and offers a big “Safe Harbor” if a laptop containing the family jewels gets lifted.  Other remedies like multifactor authentication, requiring strong passwords, changing the default security settings on servers, and keeping your internet security software updated will also go a very long way.

The insurance question.  New insurance tools can help shift some of your cyber risks.  If your organization has cyber insurance and suffers a breach, engage your insurance company claims executives immediately.  Insurance carriers can also bring breach response experts to the table that can reduce your response costs significantly, and some of these resources are covered by insurance.