Many data breaches have been in the news lately across many industries, such as:

  • Retail (e.g., Target, Home Depot)
  • Healthcare (e.g., Anthem, Premera)
  • Technology (e.g., AT&T, Apple)
  • Entertainment (e.g., Sony, Blizzard)
  • And others

While the types of attacks, exposed vulnerabilities, and type and number of records compromised all vary among these breaches, there is one thing in common to all: They all had to respond to the breach.

An Incident Response Plan (IRP) is a best practice that, unfortunately, an increasing number of organizations will need to have ready… or develop in the middle of a post-breach crisis. The IRP outlines the basics for dealing with a breach, from defining if a breach even occurred, to who will be involved in handling the crisis, to templates for investigating and communicating. There is no single authoritative source for the contents of an Incident Response Plan, but there is near universal agreement that an IRP is a prudent investment if appropriate effort has been put into it in order to have an operational IRP when the time comes.

Some common mistakes for a perfunctory IRP and associated organizational processes include:

  • IRP is out-of-date (or conflicting versions).  For example, IRP contains members of the crisis team who no longer work for the organization.
  • IRP does not account for different compliance regimes for different types of data.  HIPAA applies only to Protected Health Information, but requires very specific breach notification protocols.
  • Multiple jurisdictions in play for the breached data. Federal, State, Local and contractual obligations may vary for timelines to report a breach.

Information is the lifeblood of modern global commerce. While an absolutely necessary first line of defense, there are no fool-proof technologies or security paradigms to protect an organization’s information. An IRP is the last line of defense during a breach, protecting the organization from additional damage and restoring credibility/operations/revenue most quickly. Organizations without a robust IRP will take longer to recover during the inevitable next breach.

Additional Resources:
McKinsey & Company, “How good is your cyberincident-response plan?”

NIST Computer Security Incident Handling Guide