Do’s and Don’ts after a Data Breach
by David Willson, Attorney, Titan Info Security Group and member of the PSA Cybersecurity Committee
Today, suffering a data breach is a foregone conclusion. If you don’t believe it, well, I am not sure what to say, other than, “Good luck.”
For everyone else, here are a few tips you can use prior to and after a breach that may help protect you.
You do not want to be scrambling and forced into hurried reactions after the breach. What will you do and how will you react the day and moment you find out your company has suffered a breach?
- Do you know who to call? Make a list of key contacts in priority order of who to call when a breach occurs and keep it updated.
- Do you have a draft message prepared for when you have to make a public statement to the media, shareholders, and customers? When drafting a message, use a fictitious breach, one that is likely for your company, and make sure the message is confident and assuring and one you would feel comfortable providing to anyone. Make sure to run it by a number of colleagues, your attorney and maybe a public affairs firm.
- Do you have insurance? Can you claim now that you have put a security plan in place and it has been captured in policies that are well known to all employees? Remember, negotiating a contract for support is easier when not under pressure.
DON’T IGNORE THE EVIDENCE OF A BREACH
As I outlined in my latest article, “Reasonable Security,” many companies that have been breached made things worse by not being prepared and making poor decisions after they found out about the breach. Don’t ignore the potential evidence of a breach or act like it didn’t happen. Don’t push all the heavy lifting of the incident response on the IT department. There is a lot of potential liability and a lot of moving parts to a breach response and so many companies are now hiring law firms to oversee and protect their reputation, and reduce liability.
PLAN WHO TO CALL FIRST
Most companies immediately call their insurance carrier. Just one caution: in many cases the insurance company will want to investigate the breach. If you lied on the application or failed to meet the requirements of the policy, chances are your claim will be denied. So, don’t lie on the application and make sure that the security implementation you claimed you had in place really was and is in place.