While any business that utilizes the Internet may experience a data breach, small businesses are particularly vulnerable as they have limited resources to devote to security. Yet, a small business owner needn't sit back and wait for disaster to strike. They can prepare their firm in advance by creating a data breach response plan.
Purpose of a Response Plan
A data breach response plan provides a roadmap to follow when a breach is discovered. It is a time-saving and stress reduction tool. Once your plan is in place, you won't have to waste time and energy deciding what to do each time a breach occurs. You simply follow the steps that you have established in advance. A well-thought-out response plan can help you avoid missteps you are likely to make when acting in crisis mode.
Elements of a Response Plan
To be effective, a data breach response plan should include the following:
- A definition of a breach
- A list of response team members
- The action steps for handling the breach
- A follow-up procedure
Defining a Breach
One important step in developing a response plan is to decide what constitutes a breach. That is, what types of incidents will activate your plan? Some events, such as a phishing email, may have little or no effect on your company's operations. Others, like a ransomware infection or denial of service attack, may cause serious disruption.
While the definition of a breach may vary from one plan to another, it typically includes any theft or intrusion of electronic data files containing sensitive information about customers, patients, clients, or employees. It should also include any theft (or attempted theft) of sensitive company information like patents, trade secrets, and other intellectual property.
Your Response Team
Your response plan should identify the members of your response team. These are the individuals who will carry out your response plan when a breach occurs. They should be trusted employees who are familiar with your business. They must take their responsibilities as team members seriously.
The size of your team and its composition depend on several factors. These include the size of your company, the industry in which you operate, and the complexity of your business. At many companies the response team includes at least one representative from each of the following areas:
- Human resources
- Information technology or data security
- Risk management
- Senior management
Some data breaches may be too big or too complex for your employees to handle alone. To deal with these events your team will need help from outside experts. These outside consultants should be identified in your response plan. They may include attorneys, law enforcement personnel, and data security or recovery experts.
Action Steps of Your Plan
Your response plan should provide step-by-step instructions for your response team members on what to do when a data breach occurs. Each member should be assigned a role that reflects their expertise. For instance, the responsibility for determining how the breach occurred should be assigned to a data security employee. Likewise, the task of notifying the insurer that issued your cyber liability policy should be assigned to a risk management employee. The plan should enable your team to analyze the breach, determine what went wrong, limit the damage, and make whatever improvements are needed to prevent similar events from occurring in the future.
Your response team members should carefully document all actions they took after the breach occurred. This is important for several reasons. First, the records will verify that team members followed the instructions outlined in your plan. Secondly, the documentation will provide valuable information when you are conducting your post-breach evaluation.
Thirdly, the records may be required by state or federal authorities if the breach involved data protected by law. Some types of personally identifiable information (such as credit card numbers or health information) are subject to state or federal privacy legislation. If you store sensitive data about customers, patients, or employees on your computer system and the information is compromised, you may be required by law to notify the individuals whose data has been breached. You may also be required to report the breach to a state or federal agency. Many laws specify a timeframe for notification. The notification requirements, including who must be notified and the time period mandated, should be stated in your response plan.
Once your plan has been fully implemented and the breach has been contained, you should conduct a debriefing session with your response team. Ask all members to run through the steps they took and the lessons they learned from the process. Members should describe any problems they encountered along the way so the plan can be adjusted as needed.