It is an unfortunate fact, but a fact nonetheless, that data breaches are going to happen. Nobody is immune from attack – not the largest multinational firms with billions of dollars nor the mom-and-pop shop that thinks they are too small to be hit. So what can be done?
At a time when the damages and costs of a serious hack are growing, brand reputations are being sabotaged, trust in governments to keep confidential data safe continues to deteriorate, and “data thieves are becoming both more common and more brazen in their attacks and strategies…preparedness is the key to keeping damages to a minimum.”
A well-practiced plan is crucial to reacting quickly to a data breach. According to Willis, this plan should “include all the key stakeholders inside the organization. That, of course, includes IT. But it also includes HR, communications/PR, and the executive leadership. And the list should probably begin with legal counsel.”
First, know what information you have and be aware that you are responsible for that information if it is stolen. Willis points out that navigating the vast array of complex data breach laws can be difficult, especially when personally identifiable information (PII) is involved. This is yet another reason that your legal counsel should be involved from day one.
Next, have a list of those people you will need to contact in the event of a breach. Such a list should include law enforcement agencies, credit card companies and processors, customers, vendors, clients, and employees. Again, legal counsel can be useful when you are legally obliged to reach out to these parties following the attack.
Finally, know that your plan works. By testing your data breach response plan, you will have a better idea of “where additional resources may be needed, and where plans need to be adjusted and more robust. It will also help organizations better understand how carefully data breaches must be handled.”