//
you're reading...
Information Security, IT & TECHNOLOGY

Balancing Containment and Notification: Being Practical When Handling a Data Breach


ISACA-Logo

When a company suffers a data breach—or fears that it has suffered a breach—teams often go into panic mode. When the dust settles, work divides into two camps: those focused on business continuity and containment, and those focused on determining if the organization has any breach notice obligations under relevant laws.

Often, these goals can be in conflict—or at least resources to achieve these goals can conflict. Different teams work on different sides of the issue. Internal resources are stretched. Outside resources overlap. What can a company do? First, recognize that both goals are important and deserve resources. Second, account for both goals throughout the breach “process.” The following are some concrete steps companies—and their breach crisis teams—can take:

  • Before the incident: Everyone knows about creating an incident plan, and giving it a test run. But what about taking steps to understand your business realities and needs? Being prepared and ready to address a breach, if it arises, hinges on a good understanding of the types of information you have, where you have it, and with whom that information is shared. It is never too soon to start on this work, and keeping that information up-to-date can be a life saver if a breach arises.
  • Digging in—investigating an incident : This is where the work of the two goals, containment and determining notification obligations, can come into the most conflict. Obviously you will need to contain and control the incident. You will want to take steps like investigating the nature of the incident and getting the right team–with the right background—on hand. But you will also want to know some very specific facts for the lawyers who are determining whether notification is necessary. This includes understanding if there was a compromise to the information and if the information itself triggered breach notice laws (social security numbers, medical information, usernames and passwords, etc.).
  • Notification : If you determine that notification is necessary, containment should not leave the scene. Will your notice impact any ongoing investigations? Will you tip off a bad actor? These are things that should be taken into account as you draft your notifications, and as you potentially work with law enforcement pursuing said bad actors.
  • Post -notification: Once your notice goes out, you are not finished. The containment team will want to look at what lessons can be learned for next time—if there is a next time. The legal side of the house will be thinking about potential post-notice inquiries, whether they come from regulators, the press, or impacted individuals.

Regardless of whether your incident involves an aggressive bad actor bent on destroying your company or gives rise to a duty to notify, your team should ensure that it is taking appropriate steps to both contain and assess legal risks. The tips above are aimed at helping you get there.

Liisa Thomas, Esq.
Partner at Winston& Strawn LLP

Liisa will speak more on data breaches at the ISACA’s CSX 2015 cyber security conference in Washington, DC, 19-21 October 2015.

Note: This post is the third in a series of Cybersecurity Awareness Month blog posts. To learn more on the cyber security resources ISACA is offering this month, click here.

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 124,682 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,533 other followers

Twitter Updates

Archives

October 2015
M T W T F S S
« Sep   Nov »
 1234
567891011
12131415161718
19202122232425
262728293031  
%d bloggers like this: