What to Do After a Security Breach
Just as companies have fire drills, they should practice what they will do when a breach occurs. Recognize that prevention is not enough, and practice your strategy before a breach happens.
A data breach is not a disaster, but mishandling one is. When the breach is discovered, calmly execute your plan, but recognize that breaches are a frightening experience.
Wait for forensic results and law enforcement before you announce a breach. Why? It may be a false alarm.
Every breach is complicated and unique, so you will need different tools and external expertise for each one. Knowing who to call and what to do makes a big difference. You might need any or all of the following: forensic expert, lawyer, call center, mailing list vendor, credit monitoring service and crisis communication.
Data breaches affect all aspects of your organization. IT should not work on them in isolation. So besides mobilizing your legal department, you’ll need finance to quickly write checks for vendors, marketing communications to talk about the breach, and human resources to communicate with employees and brief the board and executives.
Hire only forensically licensed investigators otherwise evidence that may be important to a criminal investigation could be inadvertently destroyed. Maintain attorney-client privilege because everything you discover could be the subject of a lawsuit or investigation. Your counsel must be an expert in data breaches.
Crisis communication and management are important so that you determine the message about the breach and don’t lose control of the situation. You will need to send a letter to customers, regulators and perhaps shareholders. U.S. states have different requirements for the content, so you must get your message right.
The experience of a data breach can improve future outcomes. Although data breaches are inevitable, you can learn from them and use those lessons to improve your operations.