Ready for a data breach? How to develop your response plan

As of Oct. 23, there have been 347 data breaches reported in 2012 -- more than one per day. Does your organization have a thorough response plan in case you become case No. 348? The Online Trust Alliance has a free guide that will help you create a customer-centric plan. The guide covers everything from data loss prevention to mopping up if a breach occurs.

It seems that not a day goes by when we don't read about a data breach of some sort. It could be a headline-grabbing whopper like the recent Barnes & Noble situation involving 63 store branches, or a smaller but still problematic incident like a stolen laptop with sensitive information on it.

The Identity Theft Resource Center (ITRC) has reported 347 breaches for this year as of Oct. 23. The number of potentially exposed records, as best as could be determined, exceeds 10 million. In 2011, the Privacy Rights Clearinghouse recorded 558 incidents, and the Open Security Foundation reported 126.7 million records impacted. And these are just the known breaches that have been reported; the number of undiscovered incidents could overshadow these statistics.

ROUNDUP: The worst data beach incidents of 2012 -- so far

A quick review of the cases reported to the ITRC this year (see the 2012 ITRC Breach Report) shows most breaches are attributed to one of the following causes:

• A lost or stolen portable device such as a laptop, smartphone or USB drive

• Unauthorized access, including hacking or insider access, to computer systems or point-of-sale systems

• Malware on computers that contain sensitive information

• Accidental exposure of records by a worker (for example, publicly posting a database containing Social Security numbers)

• Reckless disposal of printed materials containing sensitive information (such as recycling paper documents instead of shredding them)

The 2012 ITRC Breach Stats Report shows that breaches affect every industry and organizations from the largest corporations and government agencies down to small local businesses. This means that every business -- yours included -- is at high risk for a data breach. All it takes is one lost laptop or a careless worker.

With this in mind, the Online Trust Alliance (OTA) has published a very thorough document called the Online Trust Alliance 2012 Data Protection & Breach Readiness Guide.

According to the OTA: "A data breach can have devastating consequences to a business, damaging its brand and causing it to lose customers. The purpose of this guide is to provide guidelines that help businesses to proactively develop a plan to minimize data collection, enhance data protection and create a customer-centric incident response plan. By planning in advance, businesses of all sizes can minimize their risks, costs and the impact of a breach to their customers and the reputation of their company and brand."

It's a helpful guide, regardless of the size of your organization or the regulations under which you operate. This guide addresses three important areas:

* Data governance and loss prevention. Of course, it's far better to prevent a data breach than to deal with one after it has happened. The OTA document provides guidance on: classifying data to understand what is most important to protect; auditing and validating who has authorized access to confidential and sensitive information; how to preserve the state of your systems for detailed forensic investigation if you suspect a breach has occurred; the use of technology to prevent data loss; how to minimize the amount of data that you store and need to protect; and the proper way to destroy data that is no longer needed.

* Incident response planning. To minimize the overall effects of a data breach, it's important to plan ahead on what your organization will do once an incident happens. There's a lot of work to be done by many people upon discovery of a breach, and you want them to jump into action according to plan rather than trying to figure out who should do what first. Toward that end, the OTA guidance covers: how to create your incident response team; what vendor and law enforcement relationships you should establish ahead of time; how to create a project plan with a timeline and process flow of all the activities you need to do in a response; determining your notification requirements, including people whose data may have been compromised and regulatory agencies that track breaches; how and what to communicate about the breach; and what assistance should be offered in order to preserve trust in your brand.

* Training, testing and budget. A breach response plan isn't something to develop and then file away in a binder on the shelf. The plan will be most effective if the response team is trained on what to do, the plan is tested to make sure it covers everything, and the company executives get behind it by allocating sufficient resources to it. The OTA guide helps you plan: how to train employees so that they are aware of data protection issues and actions; how to prepare for the possibility of legal action as a result of the breach; what expenses may occur as a result of a breach, including credit monitoring services for victims and fines for regulatory violations; and how to conduct a postmortem analysis at the end of an incident response to learn what you could do better in the future.

The time to think about how to respond to a data breach is not when a key employee announces his laptop containing the entire customer database was stolen at the local coffee shop. The time to plan for an incident is now, and the guide from the Online Trust Alliance will walk you through all the steps. Get your guide for free here.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022