Data Breach Response Steps
By Henry Bagdasarian
We have to take certain data breach response steps whether the breach occurs at our own company or elsewhere. We frequently hear
about personal data breach incidents which place companies and consumers at
risk. You may think that your company's strong information security practices
will protect your business and customers in the face of growing data breach
threats, however, personal information stolen from anywhere can be used to
defraud any company affecting its reputation, financial position, and
customers.
To be realistic,
companies should assume that some of the information security controls within
their company or elsewhere will fail to operate effectively at one point or
another and thus must be prepared to deal with the consequences of data breach
incidents occurring inside or outside their businesses.
Internal Data Breach Response Steps
Obviously, if a company becomes aware of an incident within its own business, it may have to take certain steps to satisfy the regulators and its customers such as:
- Perform a risk and impact assessment. Although periodic security risk assessments are critical to manage risks on an ongoing basis, performing a risk and impact assessment following a data breach incident is also important to analyze the threat and business vulnerabilities which may not have been discovered or resolved in past risk assessments. The impact assessment is also necessary to decide whether a customer notification is required under privacy laws.
- Mitigate security vulnerabilities. If a vulnerability is discovered following the risk assessment, companies should move quickly to mitigate the risks. This is important to prevent future similar attacks.
- Send customer notifications. If the data breach impact assessment concluded that customer or employee personal data was compromised, the company must send a breach notification to all affected individuals by law and consider providing identity protection services.
External Data Breach Response Steps
When companies learn about data breach incidents occurred elsewhere, they can also take certain steps to protect themselves:
- Learn from the incident. As companies learn about data breach incidents occurred elsewhere, they must take advantage of the situation and learn from the breach in order to assess and mitigate their own vulnerabilities. Incidents occurred elsewhere provide extremely valuable information without the added cost.
- Reinforce policies and procedures. Businesses facing a high risk of identity fraud which can occur with stolen information from any source must update their identity theft prevention program, communicate the policies and procedures to the front line employees who face daily fraud threats, and provide the necessary training which is required by the Red Flags Rule.
- Monitor fraud red flags. Businesses should also update their fraud detection systems to identify suspicious patterns whether transactions occur online, on the phone, in person, or by mail. There are 26 identity theft red flags that companies should look for.
- Check vendors. If your company is outsourcing some services to third party vendors, assess whether any weaknesses in their controls can affect your company and businesses. This can be accomplished by reviewing independent audit reports and completed checklists. Then, require evidence of risk mitigation.
Click here to read the continuation of data breach response steps.