How to develop a data breach response plan: 5 steps
A data breach response plan outlines how a business will react to a breach. Follow these five steps, and use our free template to develop your organization's plan.
Data breaches happen at all organizations. Even the most effective defensive layers -- endpoint and managed detection and response, multifactor authentication and employee awareness training programs -- are beatable if the attacker is sufficiently skilled or motivated.
Having a data breach response plan in place is key to minimizing and containing a breach's effect, as well as better positioning your organization for the future.
What is a data breach response plan?
A data breach response plan is a document outlining how an organization will respond in the event of a data breach. It outlines what constitutes a cybersecurity and information security incident, who is involved in the plan and their contact information, and steps to take in a breach and follow-up actions.
The short- and long-term recovery of your business depends on how it responds to the security breach. Handling the breach in a professional and calm manner shows customers and regulatory bodies you can bounce back without a severe impact on your business. Show a disordered and panicked response, however, and you will erode customers' trust and affect your organization's ability to recover.
This article is part of
What is data security? The ultimate guide
Why is a data breach plan important?
Imagine opening your work laptop and a message appears that says, "All your files are encrypted with military-grade encryption. We will be in contact shortly to arrange payment for our unlocking services." You call your organization's IT support team and quickly discover every staff member is having the same problem, including IT.
While investigating the situation, the organization realizes that all company data has been encrypted. All documents are now unusable -- whether they're saved on file servers; in cloud service provider environments, such as AWS, Azure or Google Cloud; or in SaaS systems. The IT team tries to access the backup systems, but all the data backups have been affected, too.
Your business is dead in the water -- it's not even possible to contact clients to tell them what's going on. The hackers then contact the CEO to say that not only has the data been encrypted, but it's also been saved to the hackers' computer systems. They threaten to publish the personal data of clients and staff if the business does not pay the ransom fee within six days. The hackers have investigated your organization's financial situation and request a ransomware payment that is painful but within reach.
This is not an unrealistic scenario. Ask businesses what they would do in this scenario -- their real, honest opinion -- and the most common answer would be "panic." Many businesses are ill prepared for the severity and sophistication of today's cybercriminal groups.
A data breach response plan, therefore, is crucial. The best defense in a worst-case scenario is knowing what you need to do. It's important to have this document that details all necessary steps so that, when the worst happens, the security team can enact the response plan and know what to do. This enables the business to react quickly and decisively.
5 steps for developing a data breach response plan
At a high level, a data breach incident response plan should include the following five steps.
1. Preplanning exercises
Before writing the plan, conduct a risk assessment, and use security policies to categorize what constitutes a breach, including what may be affected -- including data, people, applications and systems -- and potential cyber attack scenarios, such as ransomware, phishing and credential theft. Include what will activate the data breach response group.
The data breach response plan should initiate the process for identifying and containing the breach.
2. Define response teams and members
List who will form the data breach response team, their role and their contact details. This should encompass not only the executive team, but also representatives from IT, legal, HR, client teams, marketing and communications.
3. Create a contact list
Create a contact list, and include requirements for contacting regulatory authorities -- who and when. Also, include a list of third-party companies to contact and when. This may include insurance, legal counsel, cybersecurity specialists, outsourced IT providers and PR.
4. Create a communications plan
Create a communications plan with prepared statements for customers, staff and the media. This plan should be adaptable based on the impact of the breach. It needs to consider when and how statements should be released. The timing of these releases also needs to be decided; you don't want to admit there is a data breach until you know enough information about it, but you don't want to wait so long that rumors spread.
5. Perform incident response
Initiate incident response if an event is raised to the data breach response team and meets the criteria of a breach as outlined during step one.
This includes the following:
- keeping a detailed log of all activities;
- initiating incident containment and eradication procedures;
- activating data loss and recovery procedures;
- informing necessary parties, including affected individuals and parties, law enforcement, regulatory authorities and media;
- following data security procedures after the breach is contained, for example, requiring password changes;
- performing analysis to discover how the breach occurred;
- mitigating any vulnerabilities to prevent future incidents;
- sending follow-ups, for example, to reassure affected clients; and
- evaluating breach response and improving or amending the response plan.
Data breach response plan template
Click the image to access our editable data breach response plan template. Use it to guide your organization's response to a cybersecurity incident.
Other steps to consider
Other steps to consider may include the following:
- a plan for how and in what order critical systems and data can be recovered if the breach included a ransomware attack;
- consideration of whether the business would pay a ransom fee if data was irretrievable or at threat of public release and the process for how this would be authorized and executed; and
- testing the response plan regularly using different scenarios to ensure the incident response team is involved and understands its responsibilities -- be sure to amend the plan with any lessons learned after defense breaches and recovery efforts.
If we look at businesses that have successfully recovered from a large-scale data breach, the common denominator is that they all prepared and practiced their response plans. They communicated well with staff, clients and regulatory bodies at the relevant steps of the process, were open with customers about what occurred and detailed how it would ensure the breach's impact was minimized.
Recovery is not just about the ability to restore data and recommence working, but it's equally about the reputation and brand of the business. We've seen companies that have handled breaches in an unprofessional manner lose large numbers of customers or have their share prices affected. The cost of downtime far outweighs the cost of preparing a data breach response plan.
One final point: Don't store the response plan on your main computer network. If the network is encrypted by ransomware, you won't be able to access the document. Make sure each member of the response team has a hard copy, as well as a way to communicate with other team members outside of internal email or messaging systems.