Recovering from a Data Breach

Table of Contents

Recovering from a Data Breach

If you’ve struggled to manage the fallout from a data breach, you know the time to plan for one is not during the crisis, but long before an incident occurs.

Eight Steps to Follow

There are eight basic steps we recommend following when you’re faced with a data breach, and they generally conform to crisis management best practices — with a dash of information governance:
Step #1: Remain Calm, Communicate, and Follow the Plan
Step #2: Contain the Breach
Step #3: Investigate the Breach
Step #4: Notify Affected Parties
Step #5: Fix the Problems
Step #6: Become More Resilient
Step #7: Rebuild Trust
Step #8: Take Advantage of a Crisis
As with any enterprise-grade crisis response program, your data breach recovery plan must be flexible, evolving as the organization and its data security risks evolve and change. It should also be integrated with the organization’s overall risk management strategy to ensure alignment with business objectives and priorities. It must be a living plan, reviewed and updated frequently by stakeholders who are both accountable to and responsible for its development and implementation.

Consequences of a Data Breach

Data breaches happen; they are a business reality affecting organizations large and small, in virtually every industry, including healthcare providers, banks, insurance carriers, retailers, utilities, military and government agencies, transportation companies, universities, non-profits, and charities. Data breaches impact the most security-conscious organizations as well as the least prepared. Data breaches can tarnish bottom lines, pummel reputations, and even land senior executives in hot water.

The negative effects of a data breach can be wide-ranging, impacting an organization immediately and over the long term. There are six ways in which data breaches affect almost all compromised organizations:
Financial Losses

A data breach can strain finances, causing lost revenue, increased expenses related to breach response and remediation, and stealing time and focus from business priorities.

Financial Losses

A data breach can strain finances, causing lost revenue, increased expenses related to breach response and remediation, and stealing time and focus from business priorities.

Customer Attrition

A data breach erodes trust, causing customers to seek alternative providers and suppliers, directly impacting your business’s bottom line.

Reputational Damage

Your organization’s reputation can take a hit, especially if it fails to properly handle the situation or notify those affected in a timely manner.

Legal Impacts

Companies may face legal consequences for damages incurred by affected parties. One such class action lawsuit recently cost a major wireless provider $350 million in damages.

Operational Disruptions

Data breaches can disrupt your daily operations, leading to decreased productivity and revenue.

Personal Losses

A breach could personally affect individuals whose information has been compromised, increasing the chances of identity theft, credit card fraud, financial blackmail, or harassment.

The Eight Steps

With the negative consequences of a data breach in mind, the eight recovery steps are as follows:

Step #1: Remain Calm, Communicate, and Follow the Plan

During a crisis like an active data breach response, there will be significant pressure from inside and outside your organization to act decisively, address questions and concerns, limit damage to the organization, and soothe frayed nerves (for customers, partners, investors, employees, and others).

Ensure your own nerves are intact during the crisis by remaining calm and managing your own emotional response, seeking out facts, collecting information quickly and efficiently, not pointing fingers or affixing blame (even when there’s clear evidence of malice or neglect), collaborating with peers and partners, and providing timely and fact-driven updates to senior leaders and other stakeholders which emphasize a prioritized response, discrete actions, and an overarching timeline.

Step #2: Contain the Breach

Think of a data breach like a ship taking on water: your first and most important task is to plug the leaks and ensure no additional damage is done. Until you can limit the damage, you will never be able to recover from your data breach.

Consider the example of a retailer that discovered a data breach in its payment systems: they immediately shut down affected terminals, identified the compromised data assets and repositories, isolated the in-scope databases, applications, and servers, changed passwords, and updated detective controls across the network and with third party vendors and suppliers. Their team wasn’t focused on anything else during this phase of the response, just containment. The immediate crisis response was orchestrated by the IR / security team but they required the assistance of the IT team, as well as applications, databases, networking, telecommunications, POS / endpoint operations, and others.

For the incident responders, once they were able to regain immediate situational control, integrate damage reporting from across the organization, and demonstrate no further damage was being caused, they could turn their attention to other priorities.

Step #3: Investigate the Breach
Every incident, attack, theft, and data breach leaves clues for investigators to find and understand. It takes time to investigate, piece together the clues, and understand the scope and extent of the breach. For many organizations, this step requires the help of outside subject matter experts experienced with these investigations and equipped to investigate quickly and efficiently. Take the case of a healthcare provider whose patient records were exposed in a coordinated insider compromise involving an overseas cybercrime network: the data breach response team hired pre-vetted, retained outside investigators who discovered that a disgruntled employee had sold access to and information about internal systems, allowing outside hackers access to the health provider’s most sensitive data assets. The investigators further pieced together that the attackers had used this information to stage a series of “low and slow” attacks, gaining elevated privileges over time, and enabling data exfiltration that avoided detection or prevention. The response team’s eventual, complete understanding of how the data breach occurred—working with their trusted outside partner—regarding who was involved internally, which outside hackers had perpetrated the attacks, how the data was compromised, and the extent of the damage, was crucial to their recovering from the breach and emerging stronger as a result.
Step #4: Notify Affected Parties
Once you know the extent of the data breach, what data is in scope, and who was compromised, you can begin notifying the appropriate parties. Your legal and compliance teams must be involved when determining who to notify, when, how, and for what reason. A pre-established crisis communication plan is crucial to this step, and should be created and vetted long before a data breach occurs. This plan must specify legally-required or regulatory-mandated notifications (along with notifications designed to lessen reputational damage), designate responsible internal and external individuals, and outline notification methods. In most cases, customers, partners, employees, and other trusted parties—depending on the guidance from your legal team regarding the regulatory, contractual, statutory, and other requirements that your organization faces—must be notified when their data has been compromised, or when there is an expectation or likelihood of potential compromise. In many cases, industry and government regulators must be notified promptly, as well. Consider a financial services provider who faced a very public ransomware incident / data breach affecting millions of customers: after containing the breach, they promptly notified affected account holders, detailing the nature and timing of the incident, which data was exposed, how individuals could receive additional assistance (including credit reporting), and the detective and protective steps taken to avoid such incidents in the future. They notified multiple regulatory agencies as well, both at the state level as well as the federal level, as well as briefing their board members and principal investors. Finally, their PR team released a subset of information to the media in accordance with their pre-existing crisis communication plan.
Step #5: Fix the Problems
In Step #3 your team investigated and determined the “who, what, where, how, and why” involved with your data breach. Now it’s time to address the root causes you may have uncovered, some of which might include:
Unpatched vulnerabilities
Misconfigured detection and prevention settings
Inactive or unlicensed security features
Missing or under-utilized tools or technologies
Poor staff training, awareness, or participation
Supply chain or 3rd party infrastructure vulnerabilities

There is frequently a “perfect storm” of causes and factors involved, and a prioritized action plan is needed to remediate the most pressing problems first. Remember it’s possible that weeks, months, or even years have gone by while the underlying vulnerabilities developed and became entrenched—so it’s neither realistic nor practical to expect everything to be fixed (or fixable) overnight.
Instead focus on the most practical remediation actions that address the greatest risks most quickly, using a step-wise formula:

Which action to take?
Does this action require the acquisition of new tools, technologies, licensing, equipment, human resources, outside assistance, etc.? What is the cost involved? How does that cost compare to other security expenses? How operationally difficult will it be to acquire this item (e.g., budgeting, internal team coordination, legal agreement negotiation, purchasing, new vendor onboarding, solution implementation, staff training)? How significant is the rollout or deployment commitment for this new item? Who will be involved with this acquisition and is that individual or team willing and able to assist / participate?
Does this practical action quantifiably reduce risk or demonstrably remediate vulnerabilities or weaknesses that led to the security incident / data breach? If yes, how is that impact quantified or demonstrated? Who is this risk reduction being reported to and what is their role in its approval, implementation, deployment, adoption, and maintenance? How will the organization be more secure and the security incident / data breach less likely to occur? Is this impact sustainable over the immediate, mid-, and long-term, or is it impactful for only a brief period of time?
How quickly will this practical and impactful action take effect? Will its positive impact take weeks, months, or years to occur? What, if any, intermediate effects will occur while its full impact is developing? What timeframe can we expect for its implementation and how do we best communicate those expectations to interested or involved parties?
Across any and all actions that will be taken, it’s also important to map RACI considerations: those individuals and teams who are Responsible, Accountable, Consulted, and Informed when actions are taken.
Step #6: Become More Resilient
Resilience refers to your organization’s ability to effectively deal with and bounce back from unexpected setbacks, sudden changes, or difficulties it encounters—like a data breach. This concept extends to how your IT systems and infrastructure play a role:

  • How quickly can you work around your primary applications and databases being knocked offline by a malicious insider?
  • If data is encrypted in a ransomware attack, can you recover an unencrypted version of it?
  • How current and complete is your backup data?
  • Do you have a clearly-defined, executable crisis management plan in place?
  • Who is responsible for what actions if a data breach occurs?

Take the example of an e-commerce platform provider who suffered a data breach in which customer data was exposed. According to their recovery plan, they immediately moved to enforce new, stronger password policies, implement two-factor authentication across all platforms (not just those involving sensitive data), invest in additional encryption tools, and implement new detection and response capabilities. They also further educated their staff on advanced phishing attacks.

Resilience must be practiced, reviewed, evaluated, and strengthened on a continuous basis. Resilience isn’t simply identifying and remediating security vulnerabilities, performing staff training, and operating a comprehensive but static set of detective and preventive security controls—it is a top-down and bottom-up risk management culture that continually questions assumptions, challenges prevailing logic, and examines the underlying features of a security program.
Resilience is a culture that takes root and grows over time, fed by strong leaders, and tended by passionate practitioners who are bought into the overarching mission; resilience doesn’t flourish without these conditions.
Step #7: Rebuild Trust
Rebuilding trust with affected customers, employees, vendors, partners, investors, and regulators—both at the individual and collective level—is critical to recovering from a data breach. Open and honest communication, outlining the clear and decisive steps taken to secure data and prevent future breaches, goes a long way toward fixing broken relationships and restoring confidence.
Step #8: Take Advantage of a Crisis
Your team can emerge stronger and more resilient as a result of a data breach. As counter-intuitive as it sounds, a data breach can be a positive turning point for an organization; paraphrasing the ancient Roman Stoic philosopher Marcus Aurelius, “The obstacle is the way.” Consider a tech startup that suffered a data breach. They used the incident as a catalyst to invest in more effective security technologies, provide more meaningful security training to their employees, develop robust security incident policies and procedures, a comprehensive crisis communications plan, and “break-glass” operational recovery procedures in the event of a catastrophic incident. This transformation left their business more resilient, not only in the event of a future data breach, but for virtually any incident or crisis event they might encounter: natural disaster, critical infrastructure failure, political upheaval, adverse weather event, terrorist attack, active shooter scenario, public health emergency, etc.

Data Risk Management

Need help communicating the
importance of prioritizing data risk
Look no further – we’ve got you covered. Check out our deep dive article on Educating Senior Leaders about Data Risk or download the article’s companion workbook.

On Plans and Getting Punched in the Face

When legendary boxer Mike Tyson was asked by a reporter whether he was worried about fighting Evander Holyfield he responded, “everyone has a plan until they get punched in the mouth.” Does this mean don’t plan? Or that plans don’t work? No, it means planning must be adaptable because the real world has a tendency to challenge your expectations and assumptions; what you thought would work in theory might need tweaks or changes to work in practice. No defense is perfect, but readiness and resilience are your best options by far. By following the practical steps in this guide and learning from real-world examples, you can navigate the challenges of a data breach and protect your business against future threats. We invite you to embrace the opportunity to emerge stronger, more secure, and better prepared: the time is right now.

Need help jumpstarting your recovery efforts?

Want to dive deeper on your recovery strategy? The team at Infolock is available for a 30-minute, no-cost, no-obligation consultation.

Additional Resources

There are a variety of free resources available to assist you in creating your data breach response strategy, incident management communication plan, and related incident response procedures: