Preparing for the aftermath of a data breach

Aug. 13, 2014
Traits companies should look for in their go-to breach response partners

I’m pleased to say that security executives have made some serious headway with educating their colleagues on data breach preparedness. With the help of heightened awareness on the subject from recent, highly-publicized data breaches, now most C-suite executives are on board with prioritizing a data breach response plan in order to be prepared for the inevitable. This means companies are also allocating more funds to external partners in the forensics, legal, data breach resolution services and public relations area to help them prepare and handle a data breach.

One key component in preparing a data breach response plan that is often overlooked is identifying partners ahead of time and securing pre-breach agreement contracts. Having a contract in advance of a security incident ever occurring will lock-in negotiated pricing, as well as provide the opportunity for greater alignment and quicker activation when called upon to assist with a breach.

Unfortunately, choosing the right partner can be difficult as there has been a flood of suppliers entering the space. Wait until an issue happens, and many companies find themselves in the unfortunate position of taking on whoever is easiest (or lowest costing) to retain versus best for the job, which can lead to significant risk when managing a breach.

While the right data breach partners vary for every organization’s unique needs, there are several key traits an organization should look for. When identifying and vetting third-party partners – regardless of the specialty, from legal and forensics to public relations agencies – it is important to evaluate if they have specific experience dealing with data breach incidents, understand the unique needs of the organization’s industry sector, and are technically savvy enough to know how different types of breaches occur. In the retail sector for example, an organization should ensure their vendors have evaluated recent payments breaches and have the ability to plan for a similar scenario.

Consider whether partners will have chemistry with each other and your company’s culture as well, understanding they’ll likely act as an extension of the core response team. If the vendors you identify have worked together on data breaches in the past, this can also encourage smoother collaboration across teams.

After ensuring prospective partners meet these universal needs, there are additional nuances to consider for each specialty.

Legal

Legal partners, for instance, should preferably have an established relationship with local regulatory entities such as the state attorney general to help bridge the gap when communicating with them following a breach. Further, they should have an understanding and be able to provide guidance on what to disclose that will avoid creating unneeded litigation risks based on the latest developments in case law. They should also have a working understanding of public relations and the forensics investigations process to help ensure that anything recorded and documented by an organization balances the need for transparency and detail without creating legal risk.

Forensics

Similarly, forensics partners need to have the ability to clearly translate technical investigations into what the enterprise risk implications are of a data breach for decision-makers within the organization. If this trait is not there, often key pieces of information can get lost in translation and cause significant confusion. To identify this trait, look for candidates that have previous legal or government experience; essentially anyone essentially anyone who understands that a breach is not just a security issue but also an enterprise risk issue.

Breach Resolution

Data breach resolution providers should be equipped with the resources to support an organization from preliminary notification following a breach, to fraud resolution for affected customers. Depending on the size of your company and internal resources, consider a service provider’s ability to scale – with the option of supporting the creation of notification emails and letters, establishment of a call center, and the potential need for credit monitoring and identity theft protection. The latter is proven to be important for brand reputation as a recent study found most consumers believe organizations should provide protection following a data breach, with 63 percent of respondents noting breach populations should receive identity theft protection and 58 percent agreed they should receive credit monitoring services. Also look for partners that provide free tools and resources to help your company be prepared to manage an incident. These can include data breach response guides, crisis simulations or security audits.

Public Relations

Finally, the public relations agency you retain should have a strong understanding of data breach processes and experience in crisis communications for both traditional and social media channels. While any PR partner could have the best intentions, if they don’t understand all the steps of the data breach response process, they might suggest a strategy that leads to public statements that get you into more hot water. Communicating effectively doesn’t necessarily mean sharing information as quickly as possible, as that reaction can lead to issues when new information emerges about an incident.  An experienced PR agency should be able to provide counsel as to precisely when to make a statement, and how much information to share.

While not one size fits all, having a clear idea of key traits to look for in various data breach partners can be a huge help in sorting through the clutter to build your data breach response team. Now that you know what to look for and what questions to ask of prospective pre-breach agreement partners, it is time to pick up the phone and start dialing. Research potential partners in legal, forensics, data breach resolution services and public relations fields to ensure they have qualified experience that backs-up their claims of having expertise in the sector. And because the concept of pre-breach agreement contracts is still relatively new and lacks standardization, it may also be helpful to work with an experienced person from procurement to negotiate the fine print once your pre-breach partners have been identified.

About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president of the Experian Data Breach Resolution group. A veteran with more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the on the Medical Identity Fraud Alliance (MIFA) Steering Committee, Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.