how to manage a data breach
TRANSCRIPT
How to manage a data security incident - Ten tips from a breach practitioner
Dan MichalukSeptember 24, 2015
How to manage a data security incident
1INITATE RESPONSE ASAP
How to manage a data security incident
Initiate response ASAP
• Time is one of your two most important assets• You will start in a hole if the incident is not
identified and escalated immediately• Have a policy with a clear duty• Train to the duty
How to manage a data security incident
2DON'T REST ON ASSUMPTIONS
How to manage a data security incident
Don't rest on assumptions
• Information is your other important asset• Probe in areas of discomfort*• Find the facts and the evidence• Ask, "What data elements are we dealing with?"• Ask, "Who is affected?"• Ask, "What is the risk to the affected?"
*vendor breaches raise special considerations
How to manage a data security incident
3KEEP THE BALL MOVING
How to manage a data security incident
Keep the ball moving
• Incidents can be complicated• You deserve reasonable time to understand • Your timeliness, however, may be judged• So strive for progress and constant movement
How to manage a data security incident
4DON'T RUSH
How to manage a data security incident
Don’t rush
• Once you put information on the public record you are stuck with it
• Once you put information on the record you suffer a loss of control
• Never go to the regulator for advice before you know what you are dealing with
• Strive for a confidence level of 90%• If you need to, send a "placeholder" notice
How to manage a data security incident
5OBTAIN OBJECTIVE INPUT
How to manage a data security incident
Obtain objective input
• You are human correct?• You may be influenced by a feeling of guilt• You may suffer a temptation to downplay a
problem• Enlisting an outside lawyer and/or crises
communication professional may help
How to manage a data security incident
6OBTAIN TECHNICAL INPUT
How to manage a data security incident
Obtain technical input
• IT investigating IT can be a problem, especially in smaller organizations
• If "who" and "how" need to be determined, you may need technical (forensic) help
How to manage a data security incident
7TAKE A BROAD VIEW OF NOTIFICATION
How to manage a data security incident
Take a broad view of notification
• Consider statutory and professional obligations• Consider the forseeability of harm• Consider whether people are going to find out• Yes, there are cases in which notification is not
appropriate
How to manage a data security incident
8PUT YOURSELF IN THEIR SHOES
How to manage a data security incident
Put your self in their shoes
• And ask, "What would I want to know about this?"• Describe all data elements clearly• Include all of the basic facts that shed light on the
risk
How to manage a data security incident
9DEMONSTRATE COMMITMENT TO DOING BETTER
How to manage a data security incident
Demonstrate commitment to doing better
• Please avoid platitudes like "we value your privacy"
• Demonstrate your commitment by saying what you are going to do
• Draw on a strong root cause analysis and make a genuine commitment to things that will be effective
How to manage a data security incident
10APOLOGIZE
How to manage a data security incident
Apologize
• Beware of your jurisdictional exposure when considering statutory privileges
• Good information supports a good apology• Acknowledge, accept responsibility, express
regret• By a senior spokesperson who can demonstrate
empathy
How to manage a data security incident - Ten tips from a breach practitioner
Dan MichalukSeptember 24, 2015
How to manage a data security incident - Ten tips from a breach practitioner
Dan MichalukSeptember 24, 2015