What Should Be Included in Data Breach Response Plans?

A data breach response plan is an outline of how a company will react to respond in the event their data is compromised. Having this type of plan in place is crucial because it ensures you are not forced to make important decisions while also dealing with the chaos of a data breach.

But, a data response plan will not be effective if it is not thorough and complete. Make sure your business has covered all of its bases by including these items in your data breach response plan:

The Definition of Data Breach

Every data breach response plan should begin by defining the term “data breach.” Why does this matter? This term needs to be defined so all of the parties involved know when to implement the response plan. Does the plan only apply to incidents where customer data is breached or should it apply to any incident involving compromised data? Was this plan created solely for data breaches affecting certain types of data, such as healthcare or financial information? Be as specific as possible when defining the term to ensure that everyone understands when it is appropriate to turn to the data breach response plan. 

List of Parties to Notify

Next, make a list of the internal parties that need to be notified immediately following the breach. If there is a specific order in which the parties should be notified, this needs to be included as well. For example, if the IT team should be notified first, following by the legal and public relations teams, be sure to specify this within the plan.

The plan should also include information on how these parties should be notified. Some organizations want these notifications to be documented, which means they should be sent in writing. However, because time is of the essence after a data breach, a phone call or face-to-face notification should usually accompany a written notification.

Each Party’s Responsibilities

Everyone should know exactly what their role is in the event of a data breach. For this reason, the plan should include an outline of what each party is responsible for handling after a breach. For instance, the IT team should be responsible for identifying how the breach occurred and taking action to secure any data that has not been compromised yet. The communications and public relations team, on the other hand, should begin drafting an official statement on the data breach that can be released to the public.

Each department within the organization should know what they are responsible for after a data breach without having to ask anyone for guidance. If everything is clearly outlined in the data breach response plan, the entire process of handling the data breach will run much more smoothly.

Public Notification Plan

There are a number of state and federal laws in place that require some companies to inform anyone who has been affected by a data breach. If your company must comply with one of these laws, it’s important to understand how the law requires you to notify the affected parties. For example, Florida law requires companies to notify anyone within the state if their data has been compromised. The affected parties must be notified by email or mail as soon as possible, but no later than 30 days after the breach was discovered. The notification must include information on what happened, the data that was compromised, and how the affected parties can reach your company with their questions or concerns.

But, this is only Florida’s law. Every state has its own set of data breach notification laws, which is why creating a public notification plan is so important. Organizing all of the laws your company must comply with into one plan will make it much easier to follow the rules and avoid legal penalties after a breach.

Agency Notification Plan

There are also laws that require companies to notify certain government agencies after a data breach. For instance, the state of Florida requires companies to notify the Department of Legal Affairs within 30 days after a data breach. However, this notification is only necessary if the breach affected at least 500 people within the state of Florida. But again, each state has its own laws regarding which agencies to notify and when to send the notification. It’s recommended that you put all of the agency notification laws that you must comply with within this plan so they are all in one place.

Review of the Plan in the Aftermath of the Breach

Ideally, every company should take the time to review the effectiveness of their response plan after a data breach has been dealt with. Do certain parties need to be added to the list of people that should be notified after a breach has been discovered? Were some parties not aware of their roles and responsibilities during the breach? Were the notifications to the appropriate agencies and affected parties sent out in a timely manner? The answers to these questions will determine if the existing plan was effective. Don’t be afraid to make changes if there is an area of the plan that needs to be improved. By making changes now, you can save yourself a headache in the event of another breach.

ERI currently processes over 15,000 pounds of e-waste every hour, making it the leading e-waste recycler in the country. At ERI, the protection of your data is our top priority. We go to great lengths to protect our clients’ data, but we still have a data breach response plan in place so we can act quickly in the event of a breach. For more information on our services, or to request a quote for your company, contact us today.