Is Breach Notification Part Of Your Response Plan?

Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

Is customer-facing breach notification and response a part of your incident response plan? It should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response.
 
Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response.

Highlights from the discussion:

What legal obligations exist for breach notification? You’re likely facing at a patchwork of laws and regulatory requirements, with varying conditions, with more on the way. Check with legal counsel to see what applies to your business. Today, 47 states and 4 territories require notification for unauthorized acquisition or access to sensitive information.

There are also specific industry-related notification obligations, such as with HIPAA, HITECH, and GLBA. The proposed EU GDPR includes a tight 72 hour notification requirement, not just for breaches of personal data but also for cyber events. You may also have contractual obligations with business partners that outline notification requirements too.  

Should organizations still notify if they don’t have to? Even if you’re not required to notify by law, you still have a choice and it’s a complicated decision. To notify or not involves some degree of brand and reputational risk regardless of the choice you make. Think of the potential for future harm and liability that could accompany the choice not to notify, as well as the extent of which you will be able to manage the response should the breach event and your decision not to notify come to light. Ultimately, a guiding star is the customer relationship and your promise to them about how you handle and protect their data. Firms will likely err on the side of caution and notify.

How can firms set themselves up for success with breach notification?
Don’t notify too early. You’ll be criticized either way, so let the investigators help uncover as much information as they can about what happened to help you better communicate the facts. Consider issuing a hold statement in the meantime – something that states you’re aware of the issue.  

Define what constitutes a breach, vs a security incident, in your business partner and service provider contracts. This is important from a cyber insurance claims analysis perspective to help with breach notification costs.
Cultivate relationships with local law enforcement, your local FBI and secret service gurus – before a breach event. Go above and beyond state attorney general expectations and be proactive with engaging with them during a breach event; you don’t want them to hear about the breach in the news before you tell them.

Consider breach notification an extension of the customer relationship and mesh it with your crisis communication and incident response plans. Make sure your customers feel taken care of and cared about. Be forthright, contrite, and consistent in your communications. First coordinate communications and guidance to your employees, especially those in customer-facing roles.

Information-Management

« Typo Thwarts Hackers In $1B Cyber Heist
CIOs Fear Fines From New EU Data Laws »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NQA Certification

NQA Certification

NQA provides certification to a range of ISO standards including ISO 27001 for information security management.

IBackup

IBackup

IBackup is a Web Based Online Backup service provider.

CyRise

CyRise

CyRise is a venture accelerator focused squarely on early stage cyber security startups.

AppTec

AppTec

AppTec is a leading software vendor in the field of Unified Endpoint Management and Mobile Security.

Quest Software

Quest Software

Simple IT management for a complex world. Whether it’s digital transformation, cloud expansion, security threats or something new, Quest helps you solve complex problems with simple solutions.

S2T

S2T

S2T builds cyber intelligence solutions based on deep expertise in diverse domains such as intelligence, machine learning and AI, big data processing, statistics and linguistics.

IdentityIQ

IdentityIQ

IdentityIQ is a US-based identity theft and credit protection company designed to help users stay on top identity thieves and data breaches.

ChainSecurity

ChainSecurity

ChainSecurity provides products and services for securing smart contracts and blockchain protocols and conducts R&D in the areas of security, program analysis, and machine learning.

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL) is the largest integrated Information Communication Technology (ICT) company of Pakistan.

LAVAAT

LAVAAT

At LAAVAT, our goal is to make it easy for our customers to build secure IoT devices without a need to invest considerably in embedded security and cryptography expertise.

Mitigate Cyber

Mitigate Cyber

Mitigate Cyber (formerly Xyone Cyber Security) offer a range of cyber security solutions, from threat mitigation to penetration testing, training & much more.

ADNET Technologies

ADNET Technologies

ADNET Technologies is a SOC 2, Type II Compliant IT management and cybersecurity firm.

RapidSpike

RapidSpike

RapidSpike is the only website monitoring solution that focuses all three key aspects of website health: performance, reliability AND security.

Hexagon

Hexagon

Hexagon is a global leader in digital reality solutions. We are putting data to work to boost efficiency, productivity, quality and safety.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.

Custocy

Custocy

Custocy is a unique collaborative AI technology that identifies sophisticated and unknown (zero-day) attacks.