You’ve been breached – now what?

Why pre-breach planning matters

Joe Loscudo
| 3/29/2021
You’ve been breached – now what

Pre-breach planning can help organizations proactively prepare for and mitigate both risk and damage.

Cybersecurity breaches can cause a great deal of financial and reputational damage in an organization. When looking at the average cost of a breach in 2020 (which in the U.S. was $8.64 million, according to IBM and the Ponemon Institute), suddenly the expense of planning ahead becomes a bargain.

Organizations that have effective security awareness programs in place and incident response plans ready to launch when an attack happens certainly help themselves recover more quickly. But before an incident occurs, pre-breach planning should be a top priority for organizations both large and small. By fully understanding reporting and regulatory requirements, the types of data at risk, and why the right legal counsel matters, organizations can better prepare for and manage the inevitable breach.

Reporting and regulatory requirements

A cybersecurity incident can affect the reporting and regulatory requirements of an entity depending on its type of business, its location, and the jurisdiction of legal authorities. For example, a healthcare provider in California likely will have very different reporting requirements after a breach compared to a financial institution in Kentucky.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

One important element of pre-breach planning involves identifying the jurisdictional and regulatory authorities that govern the business. Organizations must understand and document the legal requirements that specify the actions that entities must take in response to a cybersecurity incident and the timeline involved in responding. When requirements are understood in advance, businesses can avoid the confusion of trying to learn the reporting requirements in the wake of a data breach.

Questions that organizations should ask include:

  • What regulatory regime governs the business, and what are its requirements regarding privacy, confidentiality, and data breaches?
  • What are the public reporting requirements?
  • Who at the organization is responsible for maintaining and updating this information?
  • Where can this information be located when the breach occurs?

Data type

Understanding data and its risk potential if exposed is another essential part of pre-breach planning that organizations must attend to. If sensitive data has been exposed, identifying the type of data involved is essential in navigating two issues organizations might face after a breach. First, the type of data exposed might affect what reporting requirements must be addressed and how and when reporting must be done. For example, patient health information will need to be handled differently from other personal data.

Second, the content of the data could dictate the process of extracting relevant information for reporting. Reviewing handwritten patient medical notes is much more time consuming than extracting data from a patient data spreadsheet. Organizations must identify and understand the type of data at issue to plan their responses accordingly.

Questions that organizations should ask proactively – before a breach – might include:

  • How does reviewing, analyzing, and reporting on that type of data fit within the organization’s regulatory and legal responsibilities?
  • What tools and technologies are available to preserve, review, and report on exposed data?

Questions organizations should ask about data immediately after becoming aware of a breach might include:

  • What types of data have been exposed?
  • What types of private or confidential information are contained in the data?

Legal counsel

The rules and regulations that dictate an organization’s reporting requirements can be complex, vague, or straightforward depending on the scenario. Therefore, experienced legal counsel is critical in determining the requirements and action plan after a data breach.

In the event of a breach, legal counsel should put in place a defensible process to guide the organization through its responsibilities and the actions it must take to meet legal requirements. An organization should identify capable legal counsel well before a breach occurs to eliminate time wasted on locating counsel in the midst of the crisis. Trying to find a good cyber attorney with experience in a specific industry could be difficult after a breach, so lining counsel up beforehand is critical.

Questions organizations should ask about securing legal counsel might include:

  • Who is our legal counsel with cybersecurity expertise?
  • What recommendations can legal counsel provide to help the organization prepare in the case of a breach?
  • Is this counsel available both to help plan for potential cybersecurity incidents and to quickly set a response strategy in motion when a breach occurs?

Planning ahead

Breaches are undeniably costly, so when a breach occurs, it’s important that an organization is prepared to deal with it as quickly and effectively as possible. That means thinking through legal and reporting requirements as well as potential data exposure long before adverse events occur. Ultimately, pre-breach planning can help an organization respond appropriately and prevent a breach from becoming a disaster.