A Complete Guide to Data Breach Response

Understanding which breach services you need before you need them

In today's digital economy, data is a key business asset, but data breaches threaten the value and integrity of this asset. The number of breaches is swiftly rising, so much so that they've become a matter of when not if for businesses. In fact, the Ponemon Institute estimates that the chances of having a breach are as high as one in four.

The Privacy Rights Clearinghouse estimates there have been slightly more than 9,000 public breaches since 2005, and that these breaches exposed more than 10 billion records of personal information between 2005 and 2019. And nine in 10 businesses said they had experienced a cyber-attack in the last year.

The high cost of data breaches

Data breaches are increasingly expensive, costing U.S. businesses an average of $8.64 million, according to the IBM Cost of a Data Breach Report. The study divided this cost into four categories:

• Lost business - Nearly 40 percent of data breach costs are due to increased customer turnover, lost revenue due to system downtime, and the rising cost of acquiring new business due to reputational harm.
• Detection and escalation - About 29 percent of the cost comes from activities that help a company detect a breach, such as forensics and investigation, assessment and audit services, crisis management, and communications to senior leaders.
• Ex-post response - Slightly more than one-fourth of breach costs include support for breach victims like credit monitoring and identity protection services as well as legal fees and regulatory fines.
• Notification - Only six percent of breach costs are used to notify data subjects, regulators, and other third parties via email, letters, calls, or other methods. The cost includes engaging outside experts.

To contain costs and lessen the impact of a breach on your company, you need a response plan. To help you do just that, we've put together this breach response guide. In it, you'll learn:

• How to distinguish between an event, a security incident, and a data breach–and why that matters
• What a planned breach response is and why it's vital
• Where to start with breach response planning
• What to look for in a breach response services provider
• The difference between government and private-sector breach response

The odds are high that your organization has been or will be the target of an attack that puts sensitive data at risk. And even if you're not in a hacker's crosshairs, system weaknesses and human errors also threaten the security of personal information.

When something like this happens, what do you call it? An event? A security incident? A data breach? And, quite honestly, does it matter what you call it?

It does matter. How you classify an occurrence determines your response—and thus your ability to properly protect your customers, your reputation, and your bottom line.

The graphic below shows the relative frequency of events, incidents, and breaches. It also highlights the fact that not all events are incidents, nor are all incidents classified as breaches. We'll discuss each of these in detail below:

Events

The National Institute of Standards and Technology (NIST) defines an event as “any observable occurrence in a system or network,” such as sending an e-mail message or a firewall blocking an attempt to connect. NIST further defines adverse events as those with a “negative consequence, such as…unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.”

Security Incidents

A security incident or privacy incident, on the other hand, is, an event that violates an organization’s security or privacy policies involving sensitive information such as online credentials (usernames/passwords), Social Security numbers, and confidential medical information. These can range from a lost laptop to missing paper files to sophisticated cyber-attacks. Security incidents are part of everyday business.

In its Data Breach Investigations Report, Verizon similarly defines an incident as a "security event that compromises the integrity, confidentiality, or availability of an information asset."

Data Breach

A data breach is a security (or privacy) incident that meets specific legal definitions as per state and federal breach laws. Data breaches require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies and the media. Only a small percentage of privacy or security incidents escalate into data breaches–the Verizon report analyzed 32,002 incidents but fewer than 4,000 confirmed breaches.

Bottom line: Properly defining an event or security incident or data breach doesn't just make you sound smart. It helps you match your response to the severity of the risk to sensitive (and often regulated) data your organization holds. For example, notifying your customers of a breach equips them with the information they need to protect themselves, but alerting them to every security incident only sets them up for what experts call "breach fatigue." And you don't want that.

In years past, just having a breach meant bad news for a company. These days, how you handle a breach matters a lot more than having one. Here's a case in point: Assist Wireless, a wireless carrier that provides free, government-subsidized mobile phones and plans to low-income households, experienced a security breach that exposed tens of thousands of customers IDs. TechCrunch praised the company for its response, saying:

The article's author noted that while "the exposure of customer data was far from ideal," the carrier's response "was one of the best I’ve seen in years."

With a plan in place, Assist Wireless launched a stellar response that earned praise from the media. And by preparing for a breach, the company could swiftly act to contain the damage, prevent future problems, and protect its customers from further harm.

A faster breach response keeps costs down

Like any emergency situation, data breach requires a carefully planned response to contain the damage and reduce ongoing risk. But also like many emergencies, breaches are complex. And the longer it takes to uncover a breach, the costlier the response. The IBM Cost of a Data Breach Report found that breaches with a lifecycle (time to identify plus time to contain a breach) longer than 200 days cost an average of $1.12 million than those with a lifecycle of less than 200 days.

To minimize costs and other damages from a breach, then, companies want to shorten the breach lifecycle. They need to be prepared with a response plan ahead of time. This starts with adopting the when-not-if-a-breach-happens mentality:

Business leaders that prepare for the inevitable breach will fare much better than those that don't. You can minimize costs, both financial and reputational, with a prepared response.

Breach response, or incident response as it's also called, is a multi-phased plan that helps your business know what to do and who to contact when a breach occurs. The Federal Trade Commission (FTC) offers a three-step guide for businesses that experience a breach exposing sensitive public information:

1. Secure your operations - Immediately mobilize your breach response team–assembled ahead of time–to stop additional data loss. Get a team of experts together to launch your response. These experts could include forensics, legal, information security, human resources, communications, investor relations, and management. This team will conduct forensics as well as advise you on applicable state and federal breach laws.
2. Fix vulnerabilities - Among other things, this means creating a communications plan for everyone affected by the breach–employees, customers, investors, business partners, and other stakeholders. You'll want to avoid making misleading statements about the breach or withholding details that consumers need to know to protect themselves and their information. Clear, honest communication now can minimize customers' worries and frustration–and save you time and money later on.
3. Notify appropriate parties - Notify state and federal regulators, law enforcement, other affected businesses, and, of course, the people whose information was exposed. A broad range of communication tools, including letters, websites, toll-free numbers, and a PR campaign helps ensure all of the individuals impacted by a breach get the information they need.

As a side note, the FTC also recommends offering at least a year of free credit monitoring, identity theft protection, or identity restoration services if financial information or Social Security numbers were exposed. Thieves can use this data to commit fraud, such as opening new accounts.

Start with your organization's breach risks

The FTC plan highlights just how complex breach response is. There are so many moving parts and different factors to consider. To determine the best approach for your organization, you need to understand your breach risks. Consider these questions:

• What are the consequences if personal information was exposed due to a breach at your company?
• What does a catastrophic incident look like for your company?
• What are your reputational, financial, or regulatory risks?

Once you understand what is at stake for your company and your customers, then you can start planning. For many organizations, the size and scope of a plan depend on the cost. That's where cyber insurance can help.

Are you a good fit for cyber insurance?

Many companies use cyber insurance to help cover breach response costs, including forensics, notification, credit monitoring, and even regulatory fines. It's a good investment; the IBM data breach report showed that half of the organizations with cyber insurance used their coverage to pay for consulting and legal services.

However, another survey found that 42% of businesses may not have enough insurance to cover the average cost of an attack. So before purchasing a policy, here are some questions to consider:

1. Can you choose your own legal counsel, breach coach, and other service providers?
2. Are first-party services–forensics, reputational harm, notification costs, credit monitoring, etc.–within or outside policy limits?
3. Is there coverage for "rogue" employees (a worker who deliberately caused the breach)?
4. What is the coverage trigger? That is, does the coverage start when a breach occurs, or do you have to wait until someone files a claim?
5. Does the policy cover the financial cost of cybercrime, including financial loss from ransomware or social engineering attacks?

A data breach is one of the greatest risks your company will have, and a poor response could cost you. As the IBM report found, the most expensive part of a breach is lost business, including customer turnover and reputational harm. The experience your customers have during this stressful time can make or break your company's reputation. Outsourcing customer-focused services–notification, communication services, and identity monitoring and protection–to the professionals can help preserve your good name while protecting customers from the dangers of identity theft and fraud.

When evaluating a data breach services provider, some questions you or your legal counsel may want to consider include:

• How many incidents a year does the provider handle?
• What is the service capacity–how many affected individuals can they support in a single breach?
• How quickly they can deploy a response?
• How do they work with your company to deploy services, such as offering a dedicated project manager?
• What identity protection packages do they offer?
• What industries do they serve?
• Who are their current clients?
• Which insurers have approved this vendor?
  
• Is there an advantage to signing up before a breach?

This last question is important. If you preemptively sign a master services agreement (MSA), your breach response provider can immediately act on your behalf when an incident occurs. For example, IDX offers a no-cost priority response plan for rapidly deploying breach response services in as little as three business days.

Many organizations, both public and private, know the value of a trusted breach response partner to manage all customer touchpoints – notification, crisis communications, and identity protection services. But they look for very different things in that partner. Private businesses evaluate vendors on factors like customer service and price; government agencies want a provider who has successfully managed breach response for other public agencies and who meets rigorous security standards.

When choosing a breach response vendor, government agencies use a variety of sources, including the Contractor Performance Assessment Reporting System (CPARS). The system offers officials a place to review important performance and integrity information–such as news of contractor suspensions or terminations–before awarding a contract.

Like their private-company counterparts, government agencies can lessen the cost and impact of a future breach by selecting–and signing a contract with–a reputable breach vendor ahead of time.

Make your data breach response plan now

Ready or not, your organization may face a data breach. When it does, your customers will turn to you for help and for answers. Not only that, regulators and the media will also scrutinize your response–how long did it take to discover the problem, what did you do to contain the damage, and, most importantly, how did you serve the people whose information was exposed?

Discover how IDX's proven and flexible professional services can reduce breach risks and costs, and offer your customers peace of mind with IDX Identity protection.