10. Operations: Data Breach Incident Plans Flashcards
What does the CCPA and the GDPR address regarding data breaches?
CCPA: provides statutory damages
GDPR: addresses how a company responds to a breach
When a company faces privacy breach litigation, what factors are condidered?
- Obligation to prevent unauthorized access to or use of the data
- If the company satisfied an applicable industry standard of care
- Whether there were damage or injury
- If the organization’s conduct or lack thereof was the proximate cause of the damages
What is the average cost of a data incident (Ponemon Institute)?
$3.86 M and cost per individual record lost is $ 146.
Loss of revenue
Class action litigation and settlement amounts
Impact on business relationship with third parties
What is the difference between a security incident and a breach?
Incident: confidentiality, integrity, or availability of PI may be potentially compromised.
Breach: unauthorized access or acquisition of PI. Breach is a legal term and definitions may vary. If a breach exists impacted individuals and regulatory authorities must be notified.
Breaches are incidents but not all incidents are breaches.
What measures can a company take to prepare for incidents?
- Training
- Incident response plan
- Insurance coverage
- Vendor management (if part of the incident)
How does training help with data incidents?
It exposes gaps in applications, procedures, and pre-incident plans.
Has the potential to reduce financial liability and regulatory exposure.
What should be considered when putting together an incident response plan?
- Type of PI collected
- Format and method of collection
- Third-party relationships
What is the purpose of an incident response plan?
Map for people in the organization to let them know what to do. The plan should include regulatory requirements.
What makes an incident response plan successful?
How effectively stakeholders and constituent teams execute assigned tasks a crisis unfolds.
Who should be involved in an incident response?
- IT or information security
- HR/marketing
- Customer relationship management
- Audit and compliance
- Shareholder management
- Business development
- Communications and PR
- Union leadership
- Finance
- President, CEO
- BOD
What may cyber-liability insurance cover?
- Forensic investigations
- Outside counsel fees
- Crisis management services
- PR experts
- Breach notification
- Call center costs
- Credit/identity monitoring
- Fraud resolution and restoration services
What is a Business Continuity Plan (BCP)?
A plan drafted and maintained by key stakeholders and spells out departmental responsibilities and actions teams must take before, during, and after an event. Situations covered: fire, natural disaster, and terrorist attacks.
What is a tabletop exercise?
A structured readiness-testing activity that simulates an emergency situation, such as data breach, in an informal, stress-free setting. It prepares people and identifies gaps.
Why should incident response plans and BCPs be current and tested?
There is little strategic, practical, or economic value to a plan that is painstakingly developed but seldom tested or improved.
What are the benefits to investing in breach preparedness training?
- Exposure of critical gaps in applications, procedures, and plans in a pre-incident phase
- Greater overall security for customers, partners and employees
- Reduced financial liability and regulatory exposure
- Lower breach-related costs, including legal counsel and consumer notification
- Preservation of brand reputation
