Is Breach Notification Part Of Your Response Plan?

Uploaded on 2016-04-11 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

Is customer-facing breach notification and response a part of your incident response plan? It should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response.
 
Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response.

Highlights from the discussion:

What legal obligations exist for breach notification? You’re likely facing at a patchwork of laws and regulatory requirements, with varying conditions, with more on the way. Check with legal counsel to see what applies to your business. Today, 47 states and 4 territories require notification for unauthorized acquisition or access to sensitive information.

There are also specific industry-related notification obligations, such as with HIPAA, HITECH, and GLBA. The proposed EU GDPR includes a tight 72 hour notification requirement, not just for breaches of personal data but also for cyber events. You may also have contractual obligations with business partners that outline notification requirements too.  

Should organizations still notify if they don’t have to? Even if you’re not required to notify by law, you still have a choice and it’s a complicated decision. To notify or not involves some degree of brand and reputational risk regardless of the choice you make. Think of the potential for future harm and liability that could accompany the choice not to notify, as well as the extent of which you will be able to manage the response should the breach event and your decision not to notify come to light. Ultimately, a guiding star is the customer relationship and your promise to them about how you handle and protect their data. Firms will likely err on the side of caution and notify.

How can firms set themselves up for success with breach notification?
Don’t notify too early. You’ll be criticized either way, so let the investigators help uncover as much information as they can about what happened to help you better communicate the facts. Consider issuing a hold statement in the meantime – something that states you’re aware of the issue.  

Define what constitutes a breach, vs a security incident, in your business partner and service provider contracts. This is important from a cyber insurance claims analysis perspective to help with breach notification costs.
Cultivate relationships with local law enforcement, your local FBI and secret service gurus – before a breach event. Go above and beyond state attorney general expectations and be proactive with engaging with them during a breach event; you don’t want them to hear about the breach in the news before you tell them.

Consider breach notification an extension of the customer relationship and mesh it with your crisis communication and incident response plans. Make sure your customers feel taken care of and cared about. Be forthright, contrite, and consistent in your communications. First coordinate communications and guidance to your employees, especially those in customer-facing roles.

Information-Management

« Typo Thwarts Hackers In $1B Cyber Heist
CIOs Fear Fines From New EU Data Laws »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Leonardo

Leonardo

Leonardo (formerly Finmeccanica) is a global high-tech company in Aerospace, Defence, Security & Information Systems including Cybersecurity & ICT solutions.

EG-CERT

EG-CERT

EG-CERT is the national Computer Emergency Response Team for Egypt.

Dreamlab Technologies

Dreamlab Technologies

Over the last 20 years, Dreamlab Technologies has established itself as a source of constant innovation within the information security landscape.

UKAS

UKAS

UKAS is the national accreditation body for the UK. The directory of members provides details of organisations offering certification services for ISO 27001.

IP Twins

IP Twins

IP Twins offer a wide range of services related to domain names and online brand protection.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

Private Machines

Private Machines

Private Machines develops unique patent-pending technology protects cloud and data center workloads.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity. The leading Risk Assessment Platform for Critical Infrastructure.

Soliton

Soliton

Soliton is a leading Japanese technology company and a pioneer in IT security solutions for protecting company resources and data from external IT security threats.

Information Technology Solutions (ITS)

Information Technology Solutions (ITS)

Information Technology Solutions is a single source provider for managing and securing mission-critical IT services.

CYDEF

CYDEF

CYDEF provides comprehensive, state-of-the-art cybersecurity protection that is accessible and affordable to organizations of any size.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

DataProof Communications

DataProof Communications

DataProof Communications is Cybersecurity Company specialising in cybersecurity operations, incident management and response best practices and technologies.

Nordic Defender

Nordic Defender

Nordic Defender is the first crowd-powered modern cybersecurity solution provider in the Nordic region.

DuploCloud

DuploCloud

DuploCloud offers an end-to-end DevOps software platform for dev teams that don’t have dedicated DevOps engineers and augments those that do.

National Cybersecurity Agency (ANCI) - Chile

National Cybersecurity Agency (ANCI) - Chile

ANCI (Agencia Nacional de Ciberseguridad) is the National Cybersecurity Agency of Chile.