Why a business data breach response plan matters (and how to create one)

It’s not uncommon to hear stories about large corporations such as Citrix and Starwood Marriott falling victim to data breaches. However, small and medium-sized businesses are often prime targets for these cybersecurity attacks, due to the fact that many smaller companies typically spend less on cybersecurity measures than larger corporations.

No matter the size of the company, recovering from the breach presents similar challenges.

Global cybersecurity attacks are estimated to grow by 15% per year over the next few years, reaching a cost of $10.5 trillion annually by 2025. As cyber criminals become more resourceful, a company must have a cybersecurity policy in place to be prepared for the impact of a cyberattack.

While all businesses are at risk, there are data breach prevention tips that can help lower exposure. Simply understanding the different types of cybersecurity attacks a business is vulnerable to, such as phishing scams and ransomware, can help employees avoid them.

As of 2023, the average data breach costs $4.45 million worldwide, an increase of 2% compared to 2022. In the United States, a data breach cost an average of $4.35 million last year.

The importance of data breach response plan

Businesses should prepare for a cybersecurity attack by creating a comprehensive data breach response plan, which is also known as a data breach response policy, security breach response plan or a cyber incident response plan. These plans help businesses appropriately respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner.

There are various data breach response policy templates to utilize, and depending on the size of the business, they can be a few pages to several hundred pages long. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.

Having a data breach plan in place will give your business procedures to follow if you are a victim of a data breach. Certain essential elements to the data breach response plan must be considered to pull the procedures together.

Take a look at the company’s current privacy and security policies to use them as a framework for the data breach response plan. There’s usually no need to duplicate efforts and create an entirely new security policy. Instead, save some time and avoid duplicate efforts by expanding the current policy to include cybersecurity attacks and data breaches.

A cybersecurity policy can include a variety of elements that are particular to your small business, including:

• Information on how to protect confidential company data, such as financial information, customer data or internal technologies.
• Instructions for the secure use of personal and company devices.
• Directions for detecting malicious or scam emails or virus infections.
• Management of device and system passwords.
• Guidance for the secure transfer of company or client data.
• Procedures for remote workers.

​To build an effective cybersecurity policy from scratch, it’s recommended to use the “five Ws and one H” questions (who, what where, when, why and how), whose answers are considered basic information in gathering or problem-solving. They are often mentioned in journalism, research and police investigations and constitute a formula for getting the complete story on a subject.

Who is the audience for the cybersecurity policy?

The policy would apply to all employees, contractors, volunteers and anyone who has access to the company’s systems.

What does the cybersecurity policy encompass?

The cybersecurity policy would cover all organization-owned workstations, portable devices, network connections and third-party hosted services.

Where is the company cybersecurity policy in effect?

The cybersecurity policy is applicable to the internal network, external internet connections, VPN connections and third-party services. It needs to be followed in and out of the office or business.

When is the policy applicable and when will it be reviewed?

The policy should have an effective and review date. As the policy is reviewed and updated, a new date can be added.

Why is your company cybersecurity policy important?

A documented cybersecurity policy would provide the organization guidelines for securing the company’s data and infrastructure.

How can you implement a cybersecurity policy for a small business?

To explain how to implement the cybersecurity policy for your small business, experts recommend putting the process and instructions into a standard operating procedure (SOP), which will define the individual steps to implement the cybersecurity policy to ensure that the organization is and stays compliant. Well-constructed SOPs will have checklists and automated procedures that the operations team can follow, and detail roles, responsibilities, communication and contact strategies in the event of a policy violation. It should also include specific incident response and business recovery procedures and document exceptions due to system limitations or extraordinary circumstances. Whenever a policy is updated, the SOP should be reviewed to insure they are aligned.

Identification about what defines a data breach

Businesses should clearly state what type of data breach requires a response plan, which will vary by industry. Perhaps the company stores personally identifiable information (PII), such as social security numbers, date of birth, mother’s maiden name and so on. This type of information is typically legally protected data, and many state laws require businesses to notify the victims after such a data breach. Another common cybersecurity attack involves incidents that could lead to a material loss in the company, for instance, when confidential information or trade secrets become compromised.

Designate a data breach response team

Although there’s no way to determine what departments of the company could be impacted by a data breach, one employee from several key groups, such as IT, Human Resources, Legal, Communications, Compliance, the C-Suite, etc., should be assigned specific roles in the event of a security incident. This team should be immediately notified and understand the responses required for both internal and external inquiries that will undoubtedly arise.

Messaging and communication

A data breach policy should also include a messaging deployment schedule and an escalation process for the key team members mentioned above. A communication plan should follow all legal notification requirements for notifying all parties affected by the breach, such as customers, employees, vendors and more. This process is a vital step that sets the timeline and alerts the victims about the specific data that was compromised. Make sure to seek counsel from the legal team who can review the particular state laws and compliance regulations that apply and what possible compensation might be provided to the victims of the data breach.

Information about what data breach insurance covers

Data breaches have become a fact of life in today’s online world. Cyber insurance grew from the errors and omissions insurance policies developed by tech companies 20 years ago, which were created as a means to cover events like software crashing another company’s network. Along with creating a data breach response policy, today, many companies also utilize cyber liability insurance, sometimes called data breach insurance, to stay protected against financial loss and damage from a cybersecurity attack.

What are data breach protection laws?

Data breach notification laws vary by state, but today, all 50 states have breach notification laws. Most states have implemented legislation requiring businesses to notify customers of the security breach when involving personal information. For example, in Ohio, protected information includes a combination of social security numbers, driver’s license numbers and credit/debit card account numbers. In 2020, California enacted the California Consumer Privacy Act, giving consumers more control over how their data is shared and more protection should a data breach occur.

Additionally, depending on the type of information compromised, each state will have its own specific data breach notification requirements. A business’s legal counsel should be one of the first departments alerted following a cybersecurity attack, as they will research the state’s law on whom to notify in the event of a data breach, and find out if the breach the business experienced fits the type covered by the law.

Some of the parties you may need to notify include:

• Local law enforcement: As soon as you realize your business has been the target of a cybersecurity attack, the legal team should notify local law enforcement to report the situation. Time is of the essence, as the sooner the authorities are made aware of the incident, the more effective they can be in stopping it from escalating further. The FBI’s state office can also be of assistance if the local police aren’t familiar with cyber theft investigations. Law enforcement can also help with the timing of the data breach notification you will send to your customers to ensure it’s not obstructing the investigation.
• Vendors: If any of your company’s vendors or business partners were affected by the data breach – for example, if your business stores or collects customers’ personal information like social security or credit card numbers via a third party vendor — legal counsel needs to notify them as soon as possible. This helps ensure they’ll monitor their accounts accordingly to watch for any potential fraudulent activity.
• Customers: Companies should send valued customers a formal notification of the data breach in the form of an email or letter.

In general, the notification should include the following information:

• How and when the breach occurred.
•  What information was stolen and how it may have been misused.
• The steps being taken to address and remedy the situation.
• Actions the customer can do to protect their information.
• Contact number, email or website customers can visit to learn more.

Remember, the potential damage to your company’s reputation is one of the most significant issues a data breach can cause. Properly communicating with customers helps protect your relationships and rebuilds their confidence in your organization.

Jenna Disser is director of cyber services and incident response at AmTrust Financial. Disser began her legal career as in-house counsel for a global manufacturing company. In 2017, she transitioned to Lewis Brisbois Bisgaard & Smith LLP where she practiced corporate, antitrust and general business law as well as serving as outside counsel for her former company. In 2019, she transitioned her focus to data privacy and cybersecurity law and has been engrossed in this field ever since. In her role with AmTrust, she has combined her business background and cybersecurity experience to guide insureds through the insurance claims process and assist them in recovering from a cyber event as quickly and painlessly as possible. 

This piece originally appeared on the AmTrust website and is republished here with permission. 

Opinions expressed here are the author’s own.

Related:

• Top 10 cyber breaches for the first half of 2023
• Very few companies feel prepared to manage AI risks
• Nearly one-third of data backups fail after a ransomware attack, At-Bay reports