This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Michael Bruemmer's team is busy these days, and that's both good news and bad news for companies like yours. Bruemmer heads up the Data Breach Resolution group at Experian. This team provides the call center, notification and identity theft protection services to clients following a data breach.
Over a span of 12 years, this arm of Experian has serviced nearly 17,000 breaches. In 2015, the group serviced 3,550 different incidents, from small breaches that affected just a few hundred people, to the headline-making breaches that affected tens of millions. The fact that Experian has been involved in responding to so many breaches is the bad news I alluded to.
On the good news side, Bruemmer says his group actually spends most of its time doing pre-breach work, helping clients and cyber insurance carriers prepare for the possibility (or eventuality) of a data breach. It's good to see that so many organizations are planning ahead. With data breaches, as with other types of disasters, preparation is key to getting through the experience with minimal impact to the business.
And talking about impact to the business, the average cost of a breach in the U.S. just keeps going up. In the report “2016 Cost of Data Breach Study: United States” published by IBM and Ponemon Institute, the authors claim the average total cost of a data breach is now $7.01 million. That's a 7% increase from last year. The average cost per lost or stolen record is now $221, up 2% over the previous annual study.
Some of those costs are associated with response activities, such as sending out notices and performing a forensics analysis. Bruemmer says companies need to plan ahead for those types of activities. Doing so will smooth the response to a breach, and may help keep down costs. In the U.S., about a quarter of all companies Experian works with don't yet have a breach plan. Internationally, about three-quarters of Experian's customers don't yet have a plan.
Companies that do business in other countries have to keep in mind that every country has its own laws and requirements for breach response. For example, in the European Union today, 38 countries outline notification and/or consumer privacy requirements, and they can differ from country to country. The General Data Protection Regulation, scheduled to go into effect in May 2018, will supersede those individual laws. Until then, a multinational breach will require specific knowledge of each country's laws, complicating the response activities.
Bruemmer has advice for all companies that handle or store regulated information, including payment data, personally identifiable information (PII) like Social Security numbers, or private health information (PHI). He recommends making a breach response plan, practicing the breach response plan, and designating a person to oversee execution of the plan if/when an incident occurs.
* Make a plan. For most companies, a serious data breach of regulated information is a type of disaster, and therefore it needs a specific type of plan to respond to and recover from. Just as when a fire or a flood hits a physical environment, people need to spring into action quickly. That means they need to know what to do and how to do it, so a plan is essential.
Few companies will get through a data breach on their own. They will need: specialists that can handle the consumer notifications and credit monitoring; technical experts that can conduct an in-depth forensics analysis of how the breach occurred; legal counsel that can advise on regulatory requirements; and so on. It's wise to select these providers ahead of time and negotiate contracts for their services, in the event that they are needed quickly.
* Practice the plan. Bruemmer stresses that it's not enough to develop a plan and put it on the shelf. The response team needs to practice the plan, perhaps in a tabletop exercise or even a live fire exercise. This is the best way to uncover gaps, or to discover what might have changed, such as a key vendor going out of business. If there is a potential for a multinational breach (i.e., compromise of data for people across multiple countries), the practice exercise should include representatives from all of the countries that could be impacted.
* Appoint a delegated authority. Data breaches make an impact across numerous levels of an organization. It's critical the executive leaders appoint a single person as the delegated authority who has the ability to make decisions regarding breach response. Ideally this person is chosen by the CEO and the Board of Directors, but it is not the CEO or a director. They are needed to run the company and should not be mired in breach response details. If the organization is multinational, the delegated authority must be able to cross geographic lines and coordinate on behalf of all the affected countries.
Bruemmer says the delegated authority can be an internal person, such as the company Chief Information Security Officer, or an external person, such as someone who specializes in cybersecurity and international law. Whoever is chosen, this person must have the final say on how the response plan is executed.
There's a lot to consider in putting together a breach response plan. Experian has published a Data Breach Response Guide that provides good information and guidance.