7 Components of a Business Data Breach Defense Plan
Most businesses have confidential information stored, such as client or employee addresses, phone numbers, social security numbers, dates of birth or credit card information. A data breach could result in theft of client or employee confidential information. Individuals, known as hackers, may try to gain unauthorized access to private business or client data. The unauthorized intrusion could result in the viewing or stealing of confidential data. It is important that businesses have a data breach defense plan ready to take quick action. The following seven components should be included in a business data breach defense plan.
- Appoint a Breach Response Team: One person from each department should be assigned to the response team. Be sure to include management leaders, security personnel, human resources, IT staff, customer service and public relations representatives on the breach response team. The breach response team leader should be in charge of coordinating the company’s response efforts. List names and contact information for each person appointed to the breach response team in the defense plan.
- Include Vital Tasks: All tasks vital to investigating the breach, steps to assess breach and public relations steps should be documented in the defense plan. The defense plan should be updated frequently.
- Journal for Documentation: A journal should be designated to document the date and time the breach is detected. Other details of the investigation may be noted in the journal as well. The journal is an important component of the data breach defense plan.
- Establish Relationship with External Sources: The breach response team should develop a relationship with law enforcement officials in advance of a breach. A relationship should also be established with a breach resolution vendor and an identity theft protection service. The names and contact information of law enforcement officials, breach resolution vendor selected and identity theft protection service should be included in the plan.
- Train and Update Staff: All staff should be trained on breach protocol. Staff should be aware of breach response team members and informed to call the team leader if an incident occurs. Members of the data breach response team should be assigned to train the staff. The staff should have access to copies of the data breach defense plan.
- Public Statement: A public relations response team member should prepare a statement in conjunction with top management leaders, the data breach resolution vendor and a representative from the identity theft protection service. The statement should include details of how clients or employees impacted by the breach will be contacted. The statement should be broadcast on a local news station. A sample public statement should be included in the defense plan.
- Notify Persons Affected: Notify persons affected by the data breach. Identity theft protection should be offered to each client or employee impacted by the data breach. The company should be prepared to respond to inquiries concerning the data breach. List details of the identity theft protection offer and sample notification letters in the defense plan.
*Photo courtesy of RT@Forbes Tech Symantec Voice: What Businesses Should Know About the FTC and Data Breaches by Humans Development at Flickr’s Creative Commons.