More

    Creating a Data Loss Incident Plan

    The Online Trust Alliance (OTA) advocates that all businesses create an incident response plan and be prepared for the likelihood that they will experience a breach or data loss in the future. The fact is breaches happen and often at the worst of times. Rather than be lulled into the belief it will not happen to your business, a well-designed plan is emerging as an essential part of regulatory compliance, demonstrating that a firm or organization is willing to take reasonable steps to protect data from abuse. Doing so is good business. Developing a plan can help to minimize risk to consumers, business partners and stockholders, while increasing brand protection and the long-term viability of a business.

    This slideshow highlights key questions and recommendations for businesses to consider while building a data loss incident plan.

    Creating a Data Loss Incident Plan - slide 1

    Click through for key insights on creating a data loss incident plan from the Online Trust Alliance (OTA).

    Creating a Data Loss Incident Plan - slide 2

    To aid in the development of a data loss incident plan and help maximize business continuity, organizations are encouraged to self-audit their level of preparedness by surveying key management leaders and a representative sample of employees with the following questions:

    1. Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure? Do you have an accounting of all information stored including backups and archived data?
    2. Do you have an incident response team in place ready to respond 24/7?
    3. Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
    4. Have you completed a privacy and security audit of all data collection activities including cloud and outsourced services?
    5. Are you prepared to communicate to customers, partners and stockholders?
    6. Do you have readily available access codes and credentials to critical systems in the event key staff are not available or are incapacitated?
    7. Are employees trained and prepared to notify management in the case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
    8. Have you coordinated with all necessary departments with respect to breach readiness?
    9. Do you have a privacy review and audit system in place for all data collection activities including that of third-party service providers? Have you taken necessary or reasonable steps to protect users? confidential data?
    10. Do you review the plan on a regular basis to reflect key changes? Do key staff members have hard copies of the plan readily accessible in their offices and homes?

    Creating a Data Loss Incident Plan - slide 3

    A preventative and mitigating first step is identifying and classifying data which is 1) in use, 2) in motion (archived or stored) and 3) at rest. Organizations should determine the useful life, level of sensitivity and the applicable regulatory requirements of all data and apply a value to such data in creating its data classification policies. It is advisable to have legal counsel review your data classification policies.

    Creating a Data Loss Incident Plan - slide 4

    A data loss incident plan should address employee access to all customers, business confidential and sensitive data and should include: 1) Validating appropriate employee use and data access, 2) Scanning of outbound e-mail for content, 3) Scanning of data copied to removable media such as USB sticks and CDs/DVDs 4) Auditing of data repositories such as third party data shares and storage and 5) Device management, including securing, limiting, tracking and or remote wiping of data on external storage devices. In addition, provisions should be established to automatically revoke all credentials upon termination or resignation.

    Creating a Data Loss Incident Plan - slide 5

    System log analysis can be an essential component of an incident response plan and tool to aid law enforcement. Upon discovery of an incident, the first steps are to take a “snapshot “of the environment as it existed after the breach and to isolate the system from the network and Internet. This can be accomplished by simply unplugging the connection or turning off wireless connectivity. Do not shut a server or system down. Doing so may delete critical log and cached data.

    Creating a Data Loss Incident Plan - slide 6

    The increased complexity of internal systems and use of outsourced, temporary employees, contractors and remote worker increases the risk. There is a wide array of technologies and third party solutions to help identify accidental, unauthorized and or illegal movement or transfers of data and documents. The following security best practices are recommended for every organization:

    • Use of Secure Socket Layer (SSL) for all data collection forms
    • Extended Validation SSL Certificates for all commerce and banking applications
    • Data & disk encryption
    • Multi-layered firewall protection
    • Encryption of wireless routers
    • Default disabling of shared folders
    • Dual factor authentication to limit or control access
    • Security risks of password reset and identity verification security questions
    • Upgrading to browsers with integrated anti-phishing and anti-malware
    • E-mail authentication to help detect malicious and deceptive e-mail and websites
    • Upgrading to current browsers
    • Enabling privacy and data collection controls
    • Automatic patch management for operating systems, applications & add-ons
    • Inventory system access credentials
    • Remote wiping of smart phones
    • Use of DNSSEC (Domain Name System Security Extensions)

    Creating a Data Loss Incident Plan - slide 7

    A comprehensive annual audit should be conducted to understand what data is collected. The company may revalidate the business need for its collection and retention. Data retention and destruction policies should dictate how long information needs to be retained and how to destruct data once past its retention period. As requirements change, retention periods and data destruction processes should be reviewed annually or as needed to comply with regulatory requirements.

    Creating a Data Loss Incident Plan - slide 8

    Data loss and identity theft occur not only from accidental physical loss, but also from an ever increasing level of deceptive practices. Forged e-mail, malvertising, phishing, deceptive acquisition of domains, and creation of bogus websites to capture consumer personal data are all on the rise. Such exploits may result in the installation of malware and keystroke loggers via Trojans and deceptive downloads. Steps are to be taken to mitigate these exploits. For example, a company should authenticate all outbound e-mail with declarative policies to help detect e-mail spoofing; lock all domains from potential transfer, monitor domain registration, and implementation of Extended Validation Secure Socket Layer (EV SSL) Certificates.

    Creating a Data Loss Incident Plan - slide 9

    Having a summary list of key systems, access credentials and key contacts is essential to threat mitigation and to minimize impact on business operations. This list should be kept secure yet accessible at all times to respond to not only data incidents, but to physical disasters or loss of key personnel. Such a list should include but not be limited to the following:

    • Registrar, including DNS access
    • Server hosting provider, including IP address
    • Cloud service providers including data backup, e-mail service providers and others
    • Payroll providers
    • Merchant card processor
    • Company credit cards
    • Bank accounts

    Creating a Data Loss Incident Plan - slide 10

    Data breaches are by nature interdisciplinary events that require coordinated strategies. Every functional group within an organization needs to be represented, including but not limited to information technology, information security, compliance or risk management, human resources, operations, legal, public relations, finance, and customer service. In addition, sales, business development, procurement and stockholder relations groups all should be included to fully anticipate the ramifications to business continuity.

    As a first step organizations should appoint an executive, with defined responsibility and decision making authority with respect to data breach response. It is suggested this role be assigned to a Board member, corporate officer or high-level employee, as they could be required to provide Board briefings and need to be equipped with decision making authority. Combined with a project plan, every employee should know who is in charge, who to call and what to do.

    Creating a Data Loss Incident Plan - slide 11

    Preselect service providers for functions including legal, public relations, notification activities and services. Utilizing such services will help preserve consumer trust and brand loyalty. In addition, brands should consider domain monitoring and take-down services to help reduce the exposure from malicious and phishing sites and to audit outbound e-mail for compliance to the latest e-mail authentication protocols. Other third parties to be considered include credit monitoring and identity theft management companies, as well as call centers to accommodate anticipated spikes in call volumes.

    Creating a Data Loss Incident Plan - slide 12

    A plan including a timeline and process are critical tools for managing the pressing demands resulting from a breach. It is not uncommon to find public relations, sales, law enforcement, regulators, consumers and media with competing priorities. It is important to anticipate the needs and manage the expectations of each group, which is very difficult to do without a realistic and comprehensive timeline. Plans need to have the ability of being “activated” 24/7, including holidays and weekends, as the criminal does not necessarily work a standard workweek. A plan needs to address: what is the impact, what needs to be done, and what are the legal and regulatory obligations. The plan should be able to estimate the impact to the bottom line and quickly determine and communicate how the breach occurred. Organizations need to publish the plan and procedures for employee reference.

    Creating a Data Loss Incident Plan - slide 13

    Business decision makers need to be familiar with the disclosure requirements of the regulations which govern their industry, including not only digital data but the controls over respective paper documents and redress procedures. It is important to note that some state laws conflict with one another, so it is very important to be intimately familiar with all requirements. Different types of data loss events may require different responses – e.g., the theft of important confidential corporate information by a former employee would be handled differently than the loss of thousands of employees’ Social Security numbers, credit card data, or an e-mail list with millions of records, which could trigger obligations under the law. In most scenarios, messaging should include how the incident occurred, the scope of the incident, what steps are being taken to help individuals and what is being done to prevent a reoccurrence. All communications should be carefully coordinated with legal counsel and law enforcement to ensure legal compliance while preventing tipping the hand to the perpetrator and preserving forensics.

    Creating a Data Loss Incident Plan - slide 14

    Customers, employees, investors, regulators, and other key stakeholders will lose confidence and trust in an organization that does not communicate effectively. This can have a direct impact on the bottom line – from lost revenues (and increased marketing expenses to recapture those revenues) to additional legal, compliance and public relations expenses. The communications component of a plan needs to address three critical components: 1) internal communications, 2) communication to impacted parties and 3) communication to applicable regulatory parties. A well-executed communications plan not only minimizes harm and potential legal liability but can actually enhance a company’s overall reputation.

    The communications component of the data loss incident plan should have a set of pre-approved Web pages and templates staged, phone scripts prepared and frequently asked questions (FAQ?s) drafted and ready for posting. Staffing needs to anticipate call volumes and steps to minimize hold times and to consider the need of multi-lingual support. In the case of phishing exploits as a cause of the incident, it is suggested organization create a phishing warning page and FAQ in advance and post and replace the deceptive site as a teachable moment for users.

    Creating a Data Loss Incident Plan - slide 15

    While the actual occurrences of identity theft from such breaches may be low, the threat to consumer’s trusting your brand can be significant. A data loss incident plan should evaluate what, if any remedy should be offered to affected individuals (or businesses). Offers can help to offset any inconvenience and damage or the negative perception to an organization’s brand. Damage may impact not only your customers but also business affiliates and partners. Offering a remedy can provide the opportunity to turn a potentially bad situation into a positive brand experience. Typical offers have included credit reporting monitoring, identity theft protection, and website gift certificates. Customers want companies to take responsibility and protect them from potential consequences of identity theft.

    Creating a Data Loss Incident Plan - slide 16

    The first step is providing base-line privacy training, defining PII (or covered information based on your businesses and regulatory requirement), sensitive and internal confidential data. It is recommended employee training include (but not be limited to) data collection mechanisms, retention policies, handling and sharing policies as well as data loss reporting procedures. Company personnel who are part of the response team should be prepared to both investigate and report findings and to communicate with media and regulatory authorities. Employees should be required to review plans annually and upon hire.

    Creating a Data Loss Incident Plan - slide 17

    Organizations should carefully analyze past events to improve their plan and minimize the possibility of future recurrences. Conducting “fire drills” and annual audits can be an essential part of testing a crisis management plan. Ideally, plans should be tested regularly during the year, including weekends, and critiqued to remediate any deficiencies. Any breach recovery effort should also include a post mortem analysis stage where you gather key team members to analyze the breach and document corrective actions. This phase is especially important to keep structured  documentation for regulatory compliance and for Board review.

    Creating a Data Loss Incident Plan - slide 18

    Prepare for the possibility of litigation. Preservation of all relevant information, communications and systems logs is essential. Lost or missing data could create additional scrutiny and brand damage. Having a legal review of all service providers’ policies and business practices should be reviewed annually and prior to their selection.

    Creating a Data Loss Incident Plan - slide 19

    Responding to an accidental loss, cyber security intrusion or data breach incident is often an unbudgeted expense, including less tangible costs such as loss of business, increased insurance cost, and higher merchant card processing fees. During the heat of a crisis is not the time to make vendor selections. Consider pre-contracting services for affected individuals. Offering of credit monitoring services, fraud resolution, and/or ID theft insurance can help minimize the impact and reduce the chance of customer defections or lawsuits. Many organizations have business continuity and interruption insurance to cover costs, including the hiring of a crisis public relations firm, notifying regulators and affected parties, and providing monitoring and identity theft remediation services to affected individuals. Annually review your insurance coverage (or bank line of credit), to ensure it is keeping pace with regulatory requirements and your business and data collections practices.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles