Thu, Nov 5, 2015

Cutting Your Data Breach Down to Size: Part 2

As we learned in Part 1, while the size of the data breach is an important factor in determining severity or risk, it’s not the only factor you have to worry about. Regardless, the biggest data breaches are still very difficult to respond to because it means quickly scaling up ” normal-sized,” limited resources.

As a result, companies in all industries are looking closely at having a vendor in place to create scalability, and ease the pressure of handling a multi-million person breach. But the process is not as clear cut as it would seem. As companies focus on shaving dollars off standard breach components, they should be targeting even more important components of the security incident response continuum:

A data breach response plan
Companies suffer when they spend little to no time actually developing a response strategy that factors in the realities of a large breach for instance, while the call center is one aspect of breach response where excellent customer service needs to happen, in our experience there is a tendency to overinvest while seeing very little return on that investment. That’s partly because call volume isn’t a constant it’s typically heaviest in the first week after the breach is announced, then tapers off rapidly. How rapidly? That’s usually dependent upon several factors, like the type of data lost, the amount of publicity the breach has received, and the time between announcement of the breach and mailing of notification letters, among others. As the saying goes, timing is everything waiting until after a breach is announced is not the time to “ramp up” resources. Technology should be used to triage consumer calls properly too to provide the resources for those who need them the most, like those  affected individuals who become identity theft victims.

Identity theft services
Speaking of resources for affected populations, credit monitoring is still the “de facto” offering, but these days there are far more identity monitoring options available. An additional benefit that offers affected individuals peace of mind is providing dedicated resources to work on the consumer’s behalf if he or she does become a victim of identity theft. Not all companies provide the same level of services though, so it is important to know exactly what’s being offered will they actually work on the consumer’s behalf? Or will they provide advice only? Those individuals who will experience identity theft  as a result of the incident are often only a small fraction of the overall population, but as they are often the most vulnerable group within your constituency, the service provided to them is invaluable.

Data breach notification
Finally, companies will have to make complex choices as to how to notify will you mail letters, send an e-mail, rely on public notice? Because of the legal implications, this decision is generally made with the advice of  counsel; however, in the case of large breach, notification has the potential to be the priciest component. This is where additional strategy comes in if you choose to mail letters, you’ll want to ensure that your mailing list is carefully scrubbed (deduplication, standardization, verification) so that you are mailing only those who need to be notified.

When it comes to large breach, you can’t afford to react slowly, improperly or inadequately even when you do everything right, you could still have a national spotlight, not to mention you will be shouldering the unexpected costs. The end goal, of course, is an excellent response without overinvesting and with a little proper planning and analysis of your situation, it’s an achievable one.

By Kroll Editorial Team

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.