You thought everything was in its right place. Firewalls are properly configured, systems are patched on a scheduled basis, anti-virus is up-to-date… but something has gone wrong and your network has been breached. Your employee or customer’s Personally Identifiable Information (“PII”) has been taken, or worse, been made public…but what happens next?
Notification…All of the states in the U.S. (except Alabama, New Mexico, and South Dakota) require entities to notify individuals of data breaches involving PII. Some states even require notification to a state attorney general or regulator. The requirements vary from state to state, but they are evolving. (The breach notification laws by state can be found here.) For example, in Tennessee, notification was only required if the data was unencrypted, and the organization had up to 45 days to give notification. But, on March 24th, they altered their breach notification law and became the first state to require notification regardless of encryption on the PII.
Not only are data breaches damaging to the people and companies affected, they are a costly event. Data breach costs amounting from notification, regulatory fines, and IT forensics and recovery can quickly snowball into catastrophic costs for company regardless of the size.
In order to meet the breach notification standards, companies need to develop a comprehensive Incident Response Plan (“IRP”) in addition to their disaster recovery plan. The IRP should include guidance on:
- Staff roles and responsibilities
- Staff communication protocols
- How to determine if there was actually a breach, if data was compromised, and exactly what was viewed or taken
- How the breach notification to regulators and affected parties will be handled
- How the breached data should be sealed and further occurrences be prevented
- Recovering from the event. How will the business get back on its feet and get their IT systems back online
During development and upon completion of the IRP, it should be continuously tested by performing tabletop exercises. These role-playing events will ensure the plan works as intended and allow staff to become familiar with the process. Being able to control the company’s messaging is crucial to its recovery after a breach event occurs.
The breach notification laws that each state currently enforces will probably get even stricter in the future which will put further burden on the companies to respond appropriately. Without a proper plan in place deadlines will not be met and further penalties and brand reputation damage may occur.
Click here to request more information about The ALS Group or for help on putting together your organization’s Incident Response Plan.