Is Breach Notification Part Of Your Response Plan?

Uploaded on 2016-04-11 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

Is customer-facing breach notification and response a part of your incident response plan? It should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response.
 
Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response.

Highlights from the discussion:

What legal obligations exist for breach notification? You’re likely facing at a patchwork of laws and regulatory requirements, with varying conditions, with more on the way. Check with legal counsel to see what applies to your business. Today, 47 states and 4 territories require notification for unauthorized acquisition or access to sensitive information.

There are also specific industry-related notification obligations, such as with HIPAA, HITECH, and GLBA. The proposed EU GDPR includes a tight 72 hour notification requirement, not just for breaches of personal data but also for cyber events. You may also have contractual obligations with business partners that outline notification requirements too.  

Should organizations still notify if they don’t have to? Even if you’re not required to notify by law, you still have a choice and it’s a complicated decision. To notify or not involves some degree of brand and reputational risk regardless of the choice you make. Think of the potential for future harm and liability that could accompany the choice not to notify, as well as the extent of which you will be able to manage the response should the breach event and your decision not to notify come to light. Ultimately, a guiding star is the customer relationship and your promise to them about how you handle and protect their data. Firms will likely err on the side of caution and notify.

How can firms set themselves up for success with breach notification?
Don’t notify too early. You’ll be criticized either way, so let the investigators help uncover as much information as they can about what happened to help you better communicate the facts. Consider issuing a hold statement in the meantime – something that states you’re aware of the issue.  

Define what constitutes a breach, vs a security incident, in your business partner and service provider contracts. This is important from a cyber insurance claims analysis perspective to help with breach notification costs.
Cultivate relationships with local law enforcement, your local FBI and secret service gurus – before a breach event. Go above and beyond state attorney general expectations and be proactive with engaging with them during a breach event; you don’t want them to hear about the breach in the news before you tell them.

Consider breach notification an extension of the customer relationship and mesh it with your crisis communication and incident response plans. Make sure your customers feel taken care of and cared about. Be forthright, contrite, and consistent in your communications. First coordinate communications and guidance to your employees, especially those in customer-facing roles.

Information-Management

« Typo Thwarts Hackers In $1B Cyber Heist
CIOs Fear Fines From New EU Data Laws »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

Blue Ridge Networks

Blue Ridge Networks

Blue Ridge offers a suite of solutions that enable secure remote access to the enterprise network with protection and control of endpoints.

ObjectSecurity

ObjectSecurity

ObjectSecurity is a leader in authorization policy automation. With OpenPMF, you can manage application security policies for access control and auditing.

Network Box

Network Box

Network Box is one of the world's leading Managed Security Service Providers.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Nameshield Group

Nameshield Group

Nameshield is one of most experienced domain name registrars, trademark protection specialists and managers of online reputational risk in the world today.

Networks Unlimited

Networks Unlimited

Networks Unlimited is a leading value-added distributor in Africa, providing technology solutions with a focus on security, networking, enterprise systems management and cloud technologies.

Comcast Business

Comcast Business

Comcast Business keeps businesses ready for what’s next with powerful connectivity, advanced cybersecurity solutions, and the right people at your side.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

1Touch.io

1Touch.io

1touch.io Inventa is an AI-based, sustainable data discovery and classification platform that provides automated, near real-time discovery, mapping, and cataloging of all sensitive data.

Buguard

Buguard

Buguard is a multi-award-winning supplier of Application Security Assessments and GRC services.

CyberMaxx

CyberMaxx

At CyberMaxx, our approach to cybersecurity provides end-to-end coverage for our customers – we use offense to fuel defense.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.

Valmet

Valmet

Valmet is a leading global developer and supplier of process technologies, automation and services for the pulp, paper and energy industries.