Experience is critical in data breach response services. In our business, we find that the levels of preparedness vary from client to client, ranging from those who have credentialed privacy officers with significant breach response experience to those that really have little or no experience managing a data breach incident.
When we first meet with clients we like to begin with education. For those of us who live in the information security and privacy world we sometimes forget, that although data breach is a C-level issue, not everyone is versed with the 45+ state regulations, HITECH, and International data protection statutes. We start at the beginning and take our clients through all aspects of a breach response. Very rarely do we find that people do not want or need the education components. Even “experts” need a refresher from time to time.
An important aspect of education is leveraging the lessons we have learned and some of the things we have come across that have been really helpful. For example, early on, we did a breach response for a client who sent out notification letters that contained their phone number on the letterhead. Instead of calling the designated call center, many of the affected individuals went directly to the client by calling the number on their letterhead. Another example is returned mail management. A client suffered a large breach incident and ended up with 800,000+ pieces of undelivered mail. On a large incident, a small detail like return mail management is critical. These are two examples of the many “lessons learned” that we incorporate into educational presentations.
The Tabletop Exercise
One of the best ways to test a business continuity plan is the tabletop exercise. Our version of a tabletop exercise is a “mock breach” on steroids. Breaches are like fingerprints, every one is unique. The more conditions and cases you can incorporate into a mock incident the better. I recommend testing multiple scenarios and possible scenarios. If you do not possess protected health information (PHI) a tabletop focused on PHI might not benefit your organization as a payment card incident.
The key—and probably the biggest challenge— in the tabletop exercise, is getting the right people in the room. It is a challenge, but definitely worth the effort to organize.
The Roles and Responsibilities Document
Having a roles and responsibilities document is critical to a breach response plan. As I mentioned before, data breaches are a C-level issue and executives need to be involved in the incident response planning process. Documenting the roles and responsibilities of the response team is critical to managing an incident. If your CEO is not aware of your incident response plan and is contacted by the press, how are communications going to be managed effectively? A written incident response plan and being proactive is necessary to manage an incident effectively.
Vinny T. Sakore was named Vice President of Business Development of Immersion, Ltd. in 2010. Vinny has 15 years of experience in Healthcare IT and Operations. He is also an active member of HIMSS, PLUS, and IAPP. Vinny holds a CIPP/IT credential through IAPP and leverages his privacy knowledge and information technology experience to assist clients respond to a data breach incident.