Eye on Privacy: Preparing for a Data Breach: Do You Have a Plan?
Since the first of the year, Privacy Rights Clearinghouse has logged over 300 breaches involving over 23 million sensitive records. Not every data breach is the result of a malicious act—either from an external hacker or internal fraudulent activity. Many breaches are the result of human error—lost or stolen devices, poor document or device destruction procedures or simply unintended disclosure.
What this means is the size of your company won't protect you from a data breach. Your company may not be large enough to attract hackers such as Anonymous or LulzSec, but every company is capable of human error.
Ponemon Institute's most recent "U.S. Cost of a Data Breach Report" (March 2011) estimates the average cost of a data breach to be more than $7 million. This cost doesn't include loss of customers or reputational impact. With so much at stake, you want to make sure you are doing everything you can to mitigate your risk.
So, do you have a plan? If you do, that's great. If you don't, here are eight ideas to help you get started.
• Appoint someone to be in charge of your plan. This person should have the knowledge and authority to facilitate system and procedural changes and to create communication and notification plans.
• Assess your ability to monitor and comply with existing state breach notification laws. All but four states in the U.S. have laws. You can find a list here. They differ on what constitutes a breach and on the notification requirements. In addition, there are several federal bills pending in the House and Senate that, if passed, will impact your plan. If your data goes beyond U.S. borders, you will need to expand your plan to include laws from all the countries you cover. If you are not comfortable that you have a firm grasp of these laws, identify a service now that you can call if needed.
• Assess your data to determine what data would be covered under breach notification laws. This is the data that, if compromised, will trigger your plan.
• Assess your security procedures, including networks, firewalls, authentication for employees and clients, encryption, physical access, document and device destruction, and your ability to monitor/audit all of these procedures.
• Assess your employee training. While secure systems are necessary, it is your employees who may make the biggest difference in how vulnerable you are. Employees should understand the risks, how to avoid phishing scams and the importance of creating an error-free environment around "at risk" data.
• Assess your insurance coverage. Don't assume you're covered under your existing policy. There are specialized policies for data breach that you should evaluate.
• Plan your communications. It's crucial to understand who gets notified internally and externally as you begin the investigation into the scope and nature of any breach. You will be legally bound to certain timeframes, and your reputation rests on how you handle others.
• Once you have a plan, reevaluate as necessary—triggers might include changes in laws, new threats, new data or data products.
You can't be 100 percent sure that you will avoid a data breach, but you can be prepared. Do you have a plan?