A data breach is any instance in which there is an unauthorized release or access of PII or other information not suitable for public release. This definition applies regardless of whether an organization stores and manages its data directly or through a contractor, such as a cloud service provider. Data breaches can take many forms including:
Hackers gaining access to data through a malicious attack:
Lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.);
Employee negligence (e.g., leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and
Policy and/or system failure (e.g., a policy that doesn’t require multiple overlapping security measures—if backup security measures are absent, failure of a single protective system can leave data vulnerable).
Data breaches happen at all organizations. Even the most effective defensive layers -- endpoint and managed detection and response, multifactor authentication and employee awareness training programs -- are beatable if the attacker is sufficiently skilled or motivated.
Having a data breach response plan in place is key to minimizing and containing a breach's effect, as well as better positioning your organization for the future.
What is a data breach response plan
A data breach response plan is a document outlining how an organization will respond in the event of a data breach. It outlines what constitutes a cybersecurity and information security incident, who is involved in the plan and their contact information, and steps to take in a breach and follow-up actions.
The short- and long-term recovery of your business depends on how it responds to the security breach. Handling the breach in a professional and calm manner shows customers and regulatory bodies you can bounce back without a severe impact on your business. Show a disordered and panicked response, however, and you will erode customers' trust and affect your organization's ability to recover.
Generally, the actions taken following a data breach should follow four key steps:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the management if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
In general, entities should:
Take each data breach or suspected data breach seriously and move immediately to contain, assess and remediate the incident. Breaches that may initially seem immaterial may be significant when their full implications are assessed
Undertake steps 1 (Contain), 2 (Assess), and 3 (Notify) either simultaneously or in quick succession. In some cases it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs
Determine how to respond on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, an entity may take additional steps that are specific to the nature of the breach.
