Is Breach Notification Part Of Your Response Plan?

Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

Is customer-facing breach notification and response a part of your incident response plan? It should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response.
 
Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response.

Highlights from the discussion:

What legal obligations exist for breach notification? You’re likely facing at a patchwork of laws and regulatory requirements, with varying conditions, with more on the way. Check with legal counsel to see what applies to your business. Today, 47 states and 4 territories require notification for unauthorized acquisition or access to sensitive information.

There are also specific industry-related notification obligations, such as with HIPAA, HITECH, and GLBA. The proposed EU GDPR includes a tight 72 hour notification requirement, not just for breaches of personal data but also for cyber events. You may also have contractual obligations with business partners that outline notification requirements too.  

Should organizations still notify if they don’t have to? Even if you’re not required to notify by law, you still have a choice and it’s a complicated decision. To notify or not involves some degree of brand and reputational risk regardless of the choice you make. Think of the potential for future harm and liability that could accompany the choice not to notify, as well as the extent of which you will be able to manage the response should the breach event and your decision not to notify come to light. Ultimately, a guiding star is the customer relationship and your promise to them about how you handle and protect their data. Firms will likely err on the side of caution and notify.

How can firms set themselves up for success with breach notification?
Don’t notify too early. You’ll be criticized either way, so let the investigators help uncover as much information as they can about what happened to help you better communicate the facts. Consider issuing a hold statement in the meantime – something that states you’re aware of the issue.  

Define what constitutes a breach, vs a security incident, in your business partner and service provider contracts. This is important from a cyber insurance claims analysis perspective to help with breach notification costs.
Cultivate relationships with local law enforcement, your local FBI and secret service gurus – before a breach event. Go above and beyond state attorney general expectations and be proactive with engaging with them during a breach event; you don’t want them to hear about the breach in the news before you tell them.

Consider breach notification an extension of the customer relationship and mesh it with your crisis communication and incident response plans. Make sure your customers feel taken care of and cared about. Be forthright, contrite, and consistent in your communications. First coordinate communications and guidance to your employees, especially those in customer-facing roles.

Information-Management

« Typo Thwarts Hackers In $1B Cyber Heist
CIOs Fear Fines From New EU Data Laws »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Hotlava Systems

Hotlava Systems

HotLava network adapters enable today's powerful servers and workstations to deliver more productivity by reducing congestion at the network interface.

Performanta

Performanta

Performanta offer a consultative approach to people, process and technology, focusing on security projects in line with adversarial, accidental and environmental business risk.

Nullcon

Nullcon

Nullcon provides an integrated platform for exchanging information on the latest attack vectors, zero-day vulnerabilities and unknown threats.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

LinOTP

LinOTP

LinOTP is an enterprise level, innovative, flexible and versatile OTP-platform for strong authentication.

Cowbell Cyber

Cowbell Cyber

Cowbell Cyber™ offers continuous risk assessment, comprehensive cyber liability coverage, and continuous underwriting through an AI-powered platform.

X-Ways Software Technology

X-Ways Software Technology

X-Ways provide software for computer forensics, electronic discovery, data recovery, low-level data processing, and IT security.

Police Digital Security Centre (PDSC)

Police Digital Security Centre (PDSC)

PDSC is a not-for-profit organisation, owned by the police, that works across the UK in partnership with industry, government, academia and law enforcement.

3wSecurity

3wSecurity

3wSecurity provides visibility to your company’s internet facing systems throughout the security life cycle, allowing for a more thorough approach to vulnerability management.

Pivot Technology School

Pivot Technology School

Pivot Tech offers Data Analytics, Software Development and Cyber Security training in boot camp style cohorts.

FTCYBER

FTCYBER

FTCYBER offers the latest technology and data recovery services to identify and extract data from computers and other digital devices.

Aikido Technology Services

Aikido Technology Services

Aikido Technology Services is a leading-edge technology solutions provider, servicing the Pacific North West USA. We offer affordable IT solutions designed to streamline and secure your business.

Firesand

Firesand

Based in Milton Keynes, Firesand Ltd provides penetration testing services to improve your cyber security and protect your company against hackers.

SecureDNE

SecureDNE

SecureDNE are a leading provider of cutting-edge Fractional CISO, Managed Cybersecurity Services, and Cybersecurity Engineering Solutions.

SafeAeon

SafeAeon

SafeAeon is a leading Cybersecurity-as-a-Service provider, offering 24x7 premium Managed Security Services with AI-powered and Human-driven 24x7 SOC.