How to create a data breach response plan, with free template

What is a data breach response plan?

A data breach response plan is a document that outlines how an organization will respond in the event of a data breach. It defines what constitutes cybersecurity and information security incidents, who is involved in the plan and their contact information, steps to take in a breach and follow-up actions.

The short- and long-term recovery of your business depends on how it responds to the security breach. Handling a cyberincident professionally and calmly shows customers and regulatory bodies you can bounce back without a severe impact on your business. Show a disordered and panicked response, however, and you erode customers' trust and affect your organization's ability to recover.

Why is a data breach plan important?

Imagine opening your work laptop and a message appears that says, "All your files are encrypted with military-grade encryption. We will contact you shortly to arrange payment for our unlocking services." You call your organization's IT support team and quickly discover every staff member has the same problem, including IT.

While investigating the situation, your organization realizes that all company data has been encrypted. All documents are now unusable -- whether they're saved on file servers; in cloud service provider environments, such as AWS, Azure or Google Cloud; or in SaaS systems. The IT team tries to access the backup systems, but all the data backups have been encrypted, too.

Your business is dead in the water -- it might not even be possible to access clients' contact details to tell them what's happened. The attackers then contact the CEO to say that not only has the data been encrypted, but it's also been saved to the attackers' computer systems. They threaten to publish the personally identifiable information of clients and staff if the business does not pay the ransom within six days. The malicious hackers have investigated your organization's financial situation and request a ransomware payment that is painful but within reach.

This is not an unrealistic scenario. Ask businesses what they would do in this scenario -- their honest opinion -- and the most common answer would be "panic." Many businesses are ill-prepared for the severity and sophistication of today's cybercriminal groups.

A data breach response plan, therefore, is crucial. The best defense in a worst-case scenario is knowing what you need to do. How you react to an incident can significantly impact the long-term effect of the breach, both in terms of recovering faster and maintaining the company's reputation. It's important, therefore, to have a plan that details all necessary steps so that, when the worst happens, the security team can enact the response plan and know what to do. This enables the business to react quickly and decisively.

6 steps for developing a data breach response plan

At a high level, a data breach incident response plan should include the following six steps.

1. Perform preplanning exercises

A data breach response plan should initiate the process of identifying and containing the breach.

Before writing the plan, conduct a risk assessment. Use security policies to categorize what constitutes a breach, including what could be affected -- e.g., data, people, applications and systems. Have an accurate asset register that contains where all the organization's data is held, whether on-premises or in the cloud. Also, include potential cyberattack scenarios, such as ransomware, phishing and credential theft. Define what circumstances activate the data breach response group.

Now is the time to test to ensure backups are safely segregated and can be restored in the event of a major incident.

2. Define response teams and members

List who forms the data breach response team, their role and their contact details. This should encompass not only the executive team, but also representatives from IT, legal, HR, client teams, marketing and communications. Define how the data breach response team should communicate and the time frame in which they need to convene.

3. Create a contact list

Create a contact list, and include requirements for contacting regulatory authorities -- who and when. Also, include a list of third-party companies to contact and when. This might include insurance, legal counsel, cybersecurity specialists, outsourced IT providers and PR. Decide and document when and how to inform other stakeholders, such as clients, internal staff and suppliers.

4. Create a communications plan

Create a communications plan with prepared breach notification statements for customers, staff and the media. This plan should be adaptable based on the extent of the breach and the data impacted. Consider when and how statements should be released. Also, decide the timing of these releases; you don't want to admit a data breach occurred until you know enough information about it, but you don't want to wait so long that rumors spread.

5. Write the plan

Write a plan tailored to your organization using the information gathered and created in the previous steps. Review IT security frameworks and standards to help develop the specific steps in the plan. For example, NIST's "Computer Security Incident Handling Guide" and SANS Institute's "Incident Management 101" include the following steps:

1. Preparation.
2. Identification, detection and analysis.
3. Containment and eradication.
4. Recovery.
5. Post-incident review and lessons learned.

Consider creating separate playbooks for each type of incident identified in step one.

6. Perform incident response

Initiate incident response if an event is raised to the data breach response team and meets the criteria of a breach as outlined during step one.

This includes the following steps:

1. Assemble the incident response team.
2. Contact third parties as outlined in the data breach response plan.
3. Keep a detailed log of all activities.
4. Initiate incident containment and eradication procedures.
5. Activate data loss and recovery procedures.
6. Inform necessary parties, including affected individuals and parties, law enforcement, regulatory authorities and media.
7. Follow data security procedures after the breach is contained, for example, requiring password changes.
8. Perform forensic analysis to discover how the breach occurred.
9. Remediate any vulnerabilities to prevent future incidents.
10. Send follow-up communication, for example, to reassure affected clients.
11. Evaluate breach response, and improve or amend the response process and plan, as needed.

Data breach response plan template

Click here to access our editable data breach response plan template. Use it to guide your organization's response to a cybersecurity incident.

Other steps to consider

When building a data breach response plan, it is also important to consider the following:

• Create a plan for how and in what order to recover critical systems and data if the breach included a ransomware attack.
• Decide whether the business would pay a ransom fee if data were irretrievable or at threat of public release. Document how to authorize and execute this process.
• Test response plans regularly using different scenarios to ensure the incident response team is involved and understands its responsibilities. Amend the plan with any lessons learned after defense breaches and recovery efforts.

Businesses that have successfully recovered from a large-scale data breach have a common denominator: They all prepared and practiced their response plans. They communicated well with staff, clients and regulatory bodies at the relevant steps of the process, were open with customers about what occurred and detailed how it would ensure the breach's impact was minimized.

Recovery isn't just about the ability to restore data and recommence working; it's equally about the business's reputation and brand. Companies that have handled breaches unprofessionally lose large numbers of customers or have their share prices affected. The cost of downtime far outweighs the cost of preparing a data breach response plan.

One final point: Don't store the response plan on your main computer network. If the network is encrypted by ransomware, you won't be able to access the document. Make sure each member of the response team has a hard copy and a way to communicate with other team members outside of internal email or messaging systems.

Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.