Eye on Privacy: Preparing for a Data Breach: Do You Have a Plan?
• Assess your data to determine what data would be covered under breach notification laws. This is the data that, if compromised, will trigger your plan.
• Assess your security procedures, including networks, firewalls, authentication for employees and clients, encryption, physical access, document and device destruction, and your ability to monitor/audit all of these procedures.
• Assess your employee training. While secure systems are necessary, it is your employees who may make the biggest difference in how vulnerable you are. Employees should understand the risks, how to avoid phishing scams and the importance of creating an error-free environment around "at risk" data.
• Assess your insurance coverage. Don't assume you're covered under your existing policy. There are specialized policies for data breach that you should evaluate.
• Plan your communications. It's crucial to understand who gets notified internally and externally as you begin the investigation into the scope and nature of any breach. You will be legally bound to certain timeframes, and your reputation rests on how you handle others.
• Once you have a plan, reevaluate as necessary—triggers might include changes in laws, new threats, new data or data products.
You can't be 100 percent sure that you will avoid a data breach, but you can be prepared. Do you have a plan?