• United States



Senior Staff Writer

10 mistakes companies make after a data breach

Nov 13, 20134 mins
CyberattacksCybercrimeData and Information Security

In a recent presentation for The International Association of Privacy Professionals (IAPP) Privacy Academy, Michael Bruemmer of Experian Data Breach Resolution outlined some the common mistakes his firm has seen as organizations deal with the aftermath of a breach.

The aftermath of a data breach, such as the one recently experienced by Adobe, can be chaotic if not dealt with properly. The result of such poor handling could see organizations facing a hit to reputation, or worse, financial and legal problems. Read on for advice on what NOT to do in the event that your organization is hit.

No external agencies secured

Sometimes a breach is too big to deal with in-house, and the type of breach may make that option an unwise one. So it’s best to have external help available if needed. Incident Response teams, such as those offered by Verizon Business, Experian, Trustwave, or IBM (just to name a few), should at least be evaluated and considered when forming a business continuity / incident response plan.

No engagement with outside counsel

“Enlisting an outside attorney is highly recommended,” Bruemmer said. 

“No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated.” 

So unless internal resources are knowledgeable with all current laws and legislations, then external legal counsel with expertise in data breaches is a wise investment.

No single decision maker

“While there are several parties within an organization that should be on a data breach response team, every team needs a leader,” Bruemmer said.

There needs to be one person who will drive the response plan, and act as the single source of contact to all external parties. They’ll also be in charge of controlling the internal reporting structure – in order to ensure that everyone from executives and individual response team members are kept updated.

Lack of clear communication

Related to the lack of a single decision maker, a lack of clear communication is also a problem. Miscommunication can be the key driver to mishandling a data breach, Bruemmer said, as it delays process and adds confusion.

“Once the incident response team is identified, identify clear delegation of authority, and then provide attorneys and [external parties] with one main contact.”

No communications plan

Sticking to the communications theme, another issue organizations face is the lack of planning as it relates to the public, especially the media. 

“Companies should have a well-documented and tested communications plan in the event of a breach, which includes draft statements and other materials to activate quickly. Failure to ingrate communications into overall planning typically means delayed responses to media and likely more critical coverage,” Bruemmer explained.

Waiting for perfect information before acting

Dealing with the aftermath of a data breach often requires operating with incomplete or rapidly changing information, due to new information learned by internal or external security forensics teams.

“Companies need to begin the process of managing a breach once an intrusion is confirmed and start the process of managing the incident early. Waiting for perfect information could ultimately lead to condensed timeframes that make it difficult to meet all of the many notification and other requirements,” Bruemmer said.

Micromanaging the breach

“Breach resolution requires team support, and often companies fail when micromanaging occurs. Trust your outside counsel and breach resolution vendors, and hold them accountable to execute the incident response plan,” Bruemmer said.

No remediation plans post incident

There should be plans in place that address how to engage with customers and other audiences once the breach is resolved, as well as the establishment of additional measures to prevent future incidents.

“If an organization makes additional investments in processes, people and technology to more effective secure the data, finding ways to share those efforts with stakeholders can help rebuild reputation and trust. Yet, many fail to take advantage of this longer-term need once the initial shock of the incident is over,” Bruemmer said.

Not providing a remedy to consumers

Customers should be put at the center of decision making following a breach. This focus means providing some sort of remedy, including call centers where consumers can voice their concerns and credit monitoring if financial, health or other highly sensitive information is lost.

“Even in incidents that involve less sensitive information, companies should consider other actions or guidance that can be provided to consumers to protect themselves,” Bruemmer said.

Failing to practice

“Above all, a plan needs to be practiced with the full team. An incident response plan is a living, breathing document that needs to be continually updated and revised. By conducting a tabletop exercise on a regular basis, teams can work out any hiccups before it’s too late,” Bruemmer said.