I NEED HELP

Recovering from a Data Breach

Table of Contents

Recovering from a Data Breach

If you’ve struggled to manage the fallout from a data breach, you know the time to plan for one is not during the crisis, but long before an incident occurs.

Eight Steps to Follow

There are eight basic steps we recommend following when you’re faced with a data breach, and they generally conform to crisis management best practices — with a dash of information governance:
Step #1: Remain Calm, Communicate, and Follow the Plan
Step #2: Contain the Breach
Step #3: Investigate the Breach
Step #4: Notify Affected Parties
Step #5: Fix the Problems
Step #6: Become More Resilient
Step #7: Rebuild Trust
Step #8: Take Advantage of a Crisis
As with any enterprise-grade crisis response program, your data breach recovery plan must be flexible, evolving as the organization and its data security risks evolve and change. It should also be integrated with the organization’s overall risk management strategy to ensure alignment with business objectives and priorities. It must be a living plan, reviewed and updated frequently by stakeholders who are both accountable to and responsible for its development and implementation.

Consequences of a Data Breach

Data breaches happen; they are a business reality affecting organizations large and small, in virtually every industry, including healthcare providers, banks, insurance carriers, retailers, utilities, military and government agencies, transportation companies, universities, non-profits, and charities. Data breaches impact the most security-conscious organizations as well as the least prepared. Data breaches can tarnish bottom lines, pummel reputations, and even land senior executives in hot water.

The negative effects of a data breach can be wide-ranging, impacting an organization immediately and over the long term. There are six ways in which data breaches affect almost all compromised organizations:
Financial Losses

A data breach can strain finances, causing lost revenue, increased expenses related to breach response and remediation, and stealing time and focus from business priorities.

Financial Losses

A data breach can strain finances, causing lost revenue, increased expenses related to breach response and remediation, and stealing time and focus from business priorities.

Customer Attrition

A data breach erodes trust, causing customers to seek alternative providers and suppliers, directly impacting your business’s bottom line.

Reputational Damage

Your organization’s reputation can take a hit, especially if it fails to properly handle the situation or notify those affected in a timely manner.

Legal Impacts

Companies may face legal consequences for damages incurred by affected parties. One such class action lawsuit recently cost a major wireless provider $350 million in damages.

Operational Disruptions

Data breaches can disrupt your daily operations, leading to decreased productivity and revenue.

Personal Losses

A breach could personally affect individuals whose information has been compromised, increasing the chances of identity theft, credit card fraud, financial blackmail, or harassment.

The Eight Steps

With the negative consequences of a data breach in mind, the eight recovery steps are as follows:

Step #1: Remain Calm, Communicate, and Follow the Plan

During a crisis like an active data breach response, there will be significant pressure from inside and outside your organization to act decisively, address questions and concerns, limit damage to the organization, and soothe frayed nerves (for customers, partners, investors, employees, and others).

Ensure your own nerves are intact during the crisis by remaining calm and managing your own emotional response, seeking out facts, collecting information quickly and efficiently, not pointing fingers or affixing blame (even when there’s clear evidence of malice or neglect), collaborating with peers and partners, and providing timely and fact-driven updates to senior leaders and other stakeholders which emphasize a prioritized response, discrete actions, and an overarching timeline.

Step #2: Contain the Breach

Think of a data breach like a ship taking on water: your first and most important task is to plug the leaks and ensure no additional damage is done. Until you can limit the damage, you will never be able to recover from your data breach.

Consider the example of a retailer that discovered a data breach in its payment systems: they immediately shut down affected terminals, identified the compromised data assets and repositories, isolated the in-scope databases, applications, and servers, changed passwords, and updated detective controls across the network and with third party vendors and suppliers. Their team wasn’t focused on anything else during this phase of the response, just containment. The immediate crisis response was orchestrated by the IR / security team but they required the assistance of the IT team, as well as applications, databases, networking, telecommunications, POS / endpoint operations, and others.

For the incident responders, once they were able to regain immediate situational control, integrate damage reporting from across the organization, and demonstrate no further damage was being caused, they could turn their attention to other priorities.

Step #3: Investigate the Breach
Every incident, attack, theft, and data breach leaves clues for investigators to find and understand. It takes time to investigate, piece together the clues, and understand the scope and extent of the breach. For many organizations, this step requires the help of outside subject matter experts experienced with these investigations and equipped to investigate quickly and efficiently. Take the case of a healthcare provider whose patient records were exposed in a coordinated insider compromise involving an overseas cybercrime network: the data breach response team hired pre-vetted, retained outside investigators who discovered that a disgruntled employee had sold access to and information about internal systems, allowing outside hackers access to the health provider’s most sensitive data assets. The investigators further pieced together that the attackers had used this information to stage a series of “low and slow” attacks, gaining elevated privileges over time, and enabling data exfiltration that avoided detection or prevention. The response team’s eventual, complete understanding of how the data breach occurred—working with their trusted outside partner—regarding who was involved internally, which outside hackers had perpetrated the attacks, how the data was compromised, and the extent of the damage, was crucial to their recovering from the breach and emerging stronger as a result.
Step #4: Notify Affected Parties
Once you know the extent of the data breach, what data is in scope, and who was compromised, you can begin notifying the appropriate parties. Your legal and compliance teams must be involved when determining who to notify, when, how, and for what reason. A pre-established crisis communication plan is crucial to this step, and should be created and vetted long before a data breach occurs. This plan must specify legally-required or regulatory-mandated notifications (along with notifications designed to lessen reputational damage), designate responsible internal and external individuals, and outline notification methods. In most cases, customers, partners, employees, and other trusted parties—depending on the guidance from your legal team regarding the regulatory, contractual, statutory, and other requirements that your organization faces—must be notified when their data has been compromised, or when there is an expectation or likelihood of potential compromise. In many cases, industry and government regulators must be notified promptly, as well. Consider a financial services provider who faced a very public ransomware incident / data breach affecting millions of customers: after containing the breach, they promptly notified affected account holders, detailing the nature and timing of the incident, which data was exposed, how individuals could receive additional assistance (including credit reporting), and the detective and protective steps taken to avoid such incidents in the future. They notified multiple regulatory agencies as well, both at the state level as well as the federal level, as well as briefing their board members and principal investors. Finally, their PR team released a subset of information to the media in accordance with their pre-existing crisis communication plan.
Step #5: Fix the Problems
In Step #3 your team investigated and determined the “who, what, where, how, and why” involved with your data breach. Now it’s time to address the root causes you may have uncovered, some of which might include:
Unpatched vulnerabilities
Misconfigured detection and prevention settings
Inactive or unlicensed security features
Missing or under-utilized tools or technologies
Poor staff training, awareness, or participation