We’re not Ready for a Data Breach

Our IT Security group is top-notch, with a computer incident response plan and team in place. But that merely covers IT Security activities for detect-contain-eradicate-restore. When – not if -we have a true breach, we’ll need to quickly and simultaneously handle many activities way beyond the role of IT Security, such as internal investigation; forensics; legal review of breach notification requirements, service provider responsibilities, and exposures; assessment and triggering of insurance coverages; law enforcement coordination; stakeholder reporting; notifications of regulators and individuals, and HR repercussions, among others.

It’s unfair and unrealistic to expect IT Security to handle all of this, but we don’t have management roles and responsibilities in place to coordinate this successfully. We also are not clear on what response providers we’ll want to use, if needed, for forensics, crisis communications, legal representation, and breach notification, or how this dovetails with any insurance coverage. I really don’t want us to try to figure this out for the first time in the heat of a live one – we need to be ready now, with a plan for breach response.


Data breaches have become inevitable, and effective response is no small feat. There are ten different channels of response activity for an organization that has suffered a data security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance, Crisis Communications, Stakeholders, Notifications, and Personnel Management. Most of these activities are involved in every data breach, and all must be attended to in significant breach scenarios. These activities are not sequential — they overlap, interrelate, and must be handled in a synchronized manner for the response to be successful.

Effective breach response requires breach response readiness. Crucial planning steps include:

  • Coordinating readiness efforts through legal counsel under attorney/client privilege;
  • Gathering the information needed for readiness planning;
  • Identifying and involving your Critical Incident Response Governance Team members;
  • Establishing your breach response service provider relationships;
  • Preparing your Critical Incident Response Plan; and
  • Training your team, to be ready for effective, coordinated response.