Your data breach response plan should...

By Gavin Smith, Valeska Bloch
Cybersecurity & Privacy Data

  1. Be practical, up-to-date and easy to follow.
  2. Explain what constitutes a data breach and your strategy for containing assessing and managing data breaches. It should also explain how it will interact with your other incident response plans.
  3. Identify a data breach lead and response team comprising senior management, IT, public and investor relations, legal and risk/compliance and consider how that team will be activated. It should also identify the roles, responsibilities and reporting lines of individual team members.
  4. Include direct contact details for an external PR, IT forensics and legal team and, in case you need to seek an injunction, counsel.
  5. Include contact details for your insurer and identify what (if any) conditions are imposed by your insurance policy in order to claim under it. Note that some cyber security insurers are not obliged to pay if the insurer has not been notified of the breach.
  6. Identify any contractual requirements requiring action in the event of a data breach.
  7. Include processes for responding to incidents that involve another entity and/or that relate to a breach of jointly held information.
  8. Include plans tailored to specific scenarios, eg:
    • different types of breaches: a data breach arising from information leaked by a disgruntled employee vs a hack by an external third party or a ransomware attack.
    • different types of detection: via your organisation's internal systems, an external tip-off or from contact by the media.
  9. Include processes for tracing and securing your data.
  10. Consider how you will assess whether to notify affected individuals and other stakeholders (including, for example, banks, professional bodies, regulators, technology platform providers and customers), how to notify, and what you will say if you do. Include a list of relevant stakeholders and their direct contact information.
  11. Consider whether any national security issues will be involved. If so, what, if any, additional steps are required in relation to that information.
  12. Include a process for recording breaches (including breaches that are not escalated to the data breach response team), steps taken to rectify the situation and a summary of any decisions made.
  13. Set out a strategy to identify and address any weaknesses in data handling that contributed to the breach.
  14. Outline a system for a post-breach assessment of your entity's response to the data breach and the effectiveness of your data breach response plan.
  15. Be regularly reviewed, tested and (where required) updated.