Data breach incidents can occur suddenly and often have devastating effects. But smart organizations understand breaches may be inevitable and have crafted thorough plans to respond to such incidents, says Salim Gheewalla of Calian IT & Cyber Solutions.
It’s the dead of night on Christmas Eve; a frantic CEO is leaving his team voicemails. The CMO checks hers and learns a harsh, terrible truth: The company has fallen victim to a data breach. It’s like realizing your phone battery is on 1% during an important call — sudden, alarming and leaving you scrambling for a solution.
For all companies, data breaches represent a present threat; but for some companies, being caught flat-footed in the face of a data breach could run them afoul of state or federal regulations that necessitate a diligent approach to compliance. This means every department must get involved and align with messaging, procedures and infosec best practices to not only mitigate risks, but act quickly and thoughtfully when data breaches happen.
Step 1: Compliance thresholds and reporting
Compliance reports reveal vulnerabilities and areas for improvement. CISOs and other business leaders can then use that information to determine next steps, allocate resources and create new strategies.
A comprehensive report requires marketing and communications executives to act as a central communication point and collaborate with senior leadership, legal counsel, and relevant stakeholders to:
- Identify regulatory compliance: Determine applicable regulatory frameworks, such as HIPAA, GDPR, PCI DSS or industry-specific regulations. This includes following SEC regulations, which require some organizations to develop, implement and maintain written policies and procedures able to detect, respond to and recover from breach incidents and unauthorized access to consumer information.
- Define breach thresholds: Establish clear criteria for what constitutes a reportable data breach under regulatory guidelines and internal policies. We don’t want to cry wolf every time something small happens only to be ignored when something big happens.
- Understand reporting timelines: Emphasize familiarity with mandated reporting timelines, ensuring timely notification to regulatory bodies, shareholders, and affected individuals. For example, the SEC requires organizations to file a report within four days of a data breach.
Navigating Personal Liability: Post–Data Breach Recommendations for Officers
Executives may be on the hook if info is compromised
Read moreDetailsStep 2: Communication channels and compliance messaging
Effective compliance communication hinges on clarity, accuracy and adherence to regulatory requirements. Executives should not only understand infosec systems and operations to minimize risks and maintain safety, but they should also be skilled in communicating about infosec with internal and external stakeholders. During a crisis, this means:
- Designating compliance communication channels: Establish dedicated channels for internal reporting, coordination, and external disclosures to regulatory agencies and stakeholders. Who is your spokesperson?
- Crafting compliance messaging: Ensure communications align with regulatory standards, avoiding unnecessary disclosure of sensitive information that could compromise security or legal compliances.
- Coordinate with legal and compliance teams: Collaborate closely with legal and compliance experts to review and approve all communication materials, ensuring compliance with regulatory mandates and internal policies.
Step 3: Forensic investigation and documentation
Cybersecurity insurance companies and regulatory compliance often mandate a thorough forensic investigation and comprehensive documentation of the breach incident. This step is two-fold, uncovering valuable information to provide protection right after an incident occurs and prevent breaches from happening.
Executives should:
- Initiate forensic investigation: This is not mandatory for all incidents and will depend on the type and depth of the data breach. Sometimes, even if it is not required, you may still want to initiate a forensic investigation by working with a third party to ensure the event is contained and thoroughly understood.
- Comply with forensic requirements: Adhere to regulatory guidelines and insurer requirements regarding the scope and depth of the forensic investigation, pausing remediation efforts if necessary to preserve evidence. While this may lead to a longer downtime, it is crucial to strictly follow forensic requirements.
- Document compliance efforts: Maintain detailed records of all compliance-related activities, including incident response actions, forensic findings, communication efforts and regulatory filings.
- Share the results: Your employees, customers and external stakeholders will want to know the findings. The first step to rebuilding credibility, trust and loyalty lies in transparency. Find ways to highlight key points and summarize major takeaways to clearly communicate the results.
Step 4: Tailored communication and risk management
No two remediation strategies will look exactly the same, which is why a tailored approach to risk management and communication strategies is essential. Focus on the organization’s risk profile and compliance obligations to paint a picture of the current situation, then share the information with all relevant parties.
Executives should:
- Assess risk tolerance: Evaluate the organization’s risk tolerance and regulatory obligations to determine the appropriate level of communication and transparency.
- Manage compliance risk: Mitigate compliance risks by adhering to regulatory requirements, maintaining transparency with stakeholders, and prioritizing data security and privacy.
- Facilitate compliance reporting: Ensure accurate and timely reporting of the breach incident to regulatory authorities, shareholders and affected individuals in accordance with applicable regulations and internal policies.
- External communications: Your company should have guidelines for external communications — including agreement on who will assume the role of lead communicator — and procedures for communicating with partners, customers and potential media inquiries. These internal communications compliance standards should be set and agreed upon by board members and all senior leadership officials. In addition, communicate this information to all relevant management positions so there are no missteps in communicating the incident to external parties.
Teamwork is the key
A crisis can feel like a constant onslaught of obstacles and hurdles for organizations to overcome just to see a small glimmer of light at the end of the tunnel. This process reveals just how closely infosec and communications departments must work to overcome a crisis. Executives must find ways to work with infosec teams to enhance security measures and communication teams to rebuild brand reputation.
This union plays a pivotal role during data breach incidents, ensuring accurate and timely information is disseminated across all relevant departments and stakeholders. Regular check-in calls keep stakeholders informed and aligned, and this facilitates swift decision-making and proactive measures. At the same time, this transparency ensures team members feel equipped to take on issues as they unfold. This proactive approach minimizes disruptions and protects the organization’s reputation.
Today, data breaches pose significant risks to organizations, both in terms of legal and regulatory consequences and reputational damage. While robust security measures are critical for preventing cybersecurity incidents, the ability to effectively manage compliance and communication is just as crucial. This approach not only helps to minimize legal and financial risks,but also demonstrates the organization’s commitment to protecting sensitive information.
Salim Gheewalla is vice president of marketing and alliances for Calian IT & Cyber Solutions.
