how to manage a data breach

How to manage a data security incident - Ten tips from a breach practitioner

Dan MichalukSeptember 24, 2015

How to manage a data security incident

1INITATE RESPONSE ASAP

How to manage a data security incident

Initiate response ASAP

• Time is one of your two most important assets• You will start in a hole if the incident is not

identified and escalated immediately• Have a policy with a clear duty• Train to the duty

How to manage a data security incident

2DON'T REST ON ASSUMPTIONS

How to manage a data security incident

Don't rest on assumptions

• Information is your other important asset• Probe in areas of discomfort*• Find the facts and the evidence• Ask, "What data elements are we dealing with?"• Ask, "Who is affected?"• Ask, "What is the risk to the affected?"

*vendor breaches raise special considerations

How to manage a data security incident

3KEEP THE BALL MOVING

How to manage a data security incident

Keep the ball moving

• Incidents can be complicated• You deserve reasonable time to understand • Your timeliness, however, may be judged• So strive for progress and constant movement

How to manage a data security incident

4DON'T RUSH

How to manage a data security incident

Don’t rush

• Once you put information on the public record you are stuck with it

• Once you put information on the record you suffer a loss of control

• Never go to the regulator for advice before you know what you are dealing with

• Strive for a confidence level of 90%• If you need to, send a "placeholder" notice

How to manage a data security incident

5OBTAIN OBJECTIVE INPUT

How to manage a data security incident

Obtain objective input

• You are human correct?• You may be influenced by a feeling of guilt• You may suffer a temptation to downplay a

problem• Enlisting an outside lawyer and/or crises

communication professional may help

How to manage a data security incident

6OBTAIN TECHNICAL INPUT

How to manage a data security incident

Obtain technical input

• IT investigating IT can be a problem, especially in smaller organizations

• If "who" and "how" need to be determined, you may need technical (forensic) help

How to manage a data security incident

7TAKE A BROAD VIEW OF NOTIFICATION

How to manage a data security incident

Take a broad view of notification

• Consider statutory and professional obligations• Consider the forseeability of harm• Consider whether people are going to find out• Yes, there are cases in which notification is not

appropriate

How to manage a data security incident

8PUT YOURSELF IN THEIR SHOES

How to manage a data security incident

Put your self in their shoes

• And ask, "What would I want to know about this?"• Describe all data elements clearly• Include all of the basic facts that shed light on the

risk

How to manage a data security incident

9DEMONSTRATE COMMITMENT TO DOING BETTER

How to manage a data security incident

Demonstrate commitment to doing better

• Please avoid platitudes like "we value your privacy"

• Demonstrate your commitment by saying what you are going to do

• Draw on a strong root cause analysis and make a genuine commitment to things that will be effective

How to manage a data security incident

10APOLOGIZE

How to manage a data security incident

Apologize

• Beware of your jurisdictional exposure when considering statutory privileges

• Good information supports a good apology• Acknowledge, accept responsibility, express

regret• By a senior spokesperson who can demonstrate

empathy

How to manage a data security incident - Ten tips from a breach practitioner

Dan MichalukSeptember 24, 2015

How to manage a data security incident - Ten tips from a breach practitioner

Dan MichalukSeptember 24, 2015