CH 9: Data Breach Incident Plans

Question 1

Confirmed disclosure of data to unauthorized party. Requires notification to authorities and/or customers.

Answer 1

Data breach

Question 2

A situation in which the confidentiality, integrity or availability of personal information may potentially be compromised. May not require notification.

Answer 2

Data incident

Question 3

average cost of data breach

Answer 3

3.92 million

Question 4

data breach risks for an organization

Answer 4

loss of revenue, legal & regulator fines, loss of business, impact on business relationships, loss of customer trust, damage to public perception

Question 5

data breach risks for an individual

Answer 5

emotional distress, identity theft, personal reputational harm, financial damage from misuse of credit/debit cards

Question 6

What is the top cause of breaches?

Answer 6

Malicious or criminal attack.

Question 7

How do breaches occur?

Answer 7

Malware (28%), internal actors (34%), hacking (52%), phishing (32)%, perpetrated by outsiders (62%)

Question 8

How can you prepare for an incident?

Answer 8

Incident response team and plan in place, employee training, threat-sharing, BCM involvement, board-level buy-in

Question 9

How can you prepare your team for an incident?

Answer 9

Training (e.g., tabletop exercises), be an active members of the incident response team, provide guidance on breach notification requirements

Question 10

Who should fund training?

Answer 10

Leaders often disagree; consider a shared-cost arrangement

Question 11

Who should receive training?

Answer 11

Different levels for different groups, but all employees should have a basic understanding

Question 12

Who should lean incident response plan creation?

Answer 12

Privacy office or legal; with help from IT, communications, HR, senior management, etc. Stakeholders will vary by organization.

Question 13

What guidelines, processes and procedures will you need to develop in order to create an incident response plan?

Answer 13

Roles & responsibilities (who will call the shots), severity ratings and triggers for escalation, team contact info (a breach will not happen at a convenient time), how to report suspicious communications/activity, regulatory requirements, how to interact with authorities, info on key vendors and counsel (who are your lawyers that you call straight away), integration with business continuity plan, and post-incident process

Question 14

What are the steps to take in a breach?

Answer 14

Secure your operations (e.g., stop additional data loss, secure physical areas), notify appropriate parties, and fix vulnerabilities..

Question 15

What are potential consequences of inconsistent messaging?

Answer 15

Evidence of poor planning, loss of trust, people make assumptions about what’s true, and legal liability issues.

Question 16

Why should internal announcements be made at the same time as external?

Answer 16

To align messaging, avoid leaks, and demonstrate transparency.

Question 17

What do employees need to know about an incident?

Answer 17

Information that affects their jobs, what to keep confidential,

Question 18

What’s the nature of the breach? How many individuals impacted? Is information accessible and usable? Is breach likely to lead to harm? Can harm be mitigated?

Answer 18

Things to consider when deciding whether to make an external announcement if there is no legal obligation to do so.

Question 19

What are the costs involved with a data breach?

Answer 19

Punitive costs, first-party costs (e.g., legal counsel, crisis management), remediation costs, intangible costs (e.g., customer retention)

Question 20

What principles do breach obligations adhere to?

Answer 20

Preventing harm, collection limitation, accountability, and monitoring and enforcement.

Question 21

Why train?

Answer 21

Expose gaps, cultivate security, reduce financial liability and regulatory exposure, lower breach-related costs, preserve brand reputation and integrity