Wednesday, September 5, 2012
How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.
1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing--and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. "I've gone through a lot of breach responses with companies where people are literally sitting around a table saying 'I had no idea we were doing that,'" Spiezle said. That can exponentially complicate matters when a data-loss event occurs--you can't very well determine the consequences and communicate them appropriately if you don't know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.
The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.
2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer--much less an entire compliance staff--or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.
Alas, while there are vendors that can help, there's no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. "It is a very complex issue, and [it] again underscores the importance of pre-planning," he said.
Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it's much better to do this when you don't already have a problem--it's tough to get the best terms if you're negotiating at 3 a.m. on a Saturday after a breach has already occurred.
3. Who Will You Notify? Knowing who you'll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. "This might be partners, customers, [or] government agencies," Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.
4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it's a case-by-case decision. With law enforcement or other government agencies, it's usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don't want them to find out from the media or other external sources. On the other hand, you don't want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.
5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1--it's tough to accurately message a breach if you don't know what data you had in the first place. If you've got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.