"While there has been great progress among businesses and institutions in data breach prevention, breaches can still occur and it's important to execute the right steps after an incident," said Michael Bruemmer, vice president at Experian. "Being properly prepared doesn't stop with having a response plan. Organizations need to practice the plan and ensure it will result in smooth execution that mitigates the negative consequences of a data breach."
Those possible outcomes can include a loss of customers, regulatory fines and class-action lawsuits. Studies show that a majority of organizations had or expect to have a data breach that results in the loss of customers and business partners, and more than 65 percent of companies have or believe they will suffer serious financial consequences as a result of an incident.
Among companies that had breaches, the average cost reported of incidents was $9.4 million in the last 24 months. These costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.
According to Bruemmer, three of the most common mistakes include:
No engagement with outside counsel — Enlisting an outside attorney is highly recommended. No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated. Unless internal resources are knowledgeable with all current laws and legislations, it is best to engage legal counsel with expertise in data breaches to help navigate through this challenging landscape.
No external agencies secured — All external partners should be in place prior to a data breach so they can be called upon immediately when a breach occurs. The process of selecting the right partner can take time as there are different levels of service and various solutions to consider. Plus, it is important to think about the integrity and security standards of a vendor before aligning the company brand with it. Not having a forensic expert or resolution agency already identified will delay the data breach response process.
No single decision maker — While there are several parties within an organization that should be on a data breach response team, every team needs a leader. Determine who will be the driver of the response plan and primary contact to all external partners. Also, outline a structure of internal reporting to ensure executives and everyone on the response team is up to date and on track during a data breach.