4 Steps to Implement Data Breach Contingency Plan

Think your organization is safe from a data breach? Think again. Just this week, Identity Theft Resource Center reported that a total of 589 breaches have exposed approximately 76 million records in 2014 alone. This is a 29.5% increase from last year. Financial institutions accounted for 1.1 million breached records, 64.4 million business records were exposed and 7.1 million medical records were compromised. Company data is a vital asset to your organization, but can also be a giant liability. You need to Implement Data Breach Contingency Plan.  Chances are your organization stores one, if not many of the following:

Credit Card Information

Customer, Patient or Employee Data

Inventory Systems

Intellectual Property

Access to this data is necessary for your business. Now imagine if that information was compromised. What would be the implications to your organization’s operation, reputation and future?

If the news of a growing number of breaches should imply anything, it is that no one is immune to a data breach. However, there are preparations you can engage in now to minimize the harm that a potential breach would wreak on your organization.

Talk with your IT professionals for expert advice on how to combat data vulnerability. In the meantime, consider the following steps to create and implement Data Breach Contingency Plan for your organization:


 1. Designate a Response Team

This team is responsible for investigating the issue, answering the initial questions and creating a specific plan to move forward. Your Data Breach Response Team should be comprised of the following professionals or your organization’s equivalent:

An IT Professional

Your legal counsel

A PR professional

The company compliance officer


A representative from each department of your organization


 2. Document Everything Now

When the need for documentation is realized, it is already too late. Start documenting now, so that when you need to reference that information, it is available to you. Below are suggestions of what to document now to be prepared for a breach in the future.

Document access levels and assign individual passwords rather than group logins.

Document processes so that in the event of a crisis, anyone can step in to fulfill those duties.

Create a log of users for all accounts. Know who has access and at what level to each account.

Map out your network and the configuration of all your devices (including printers, fax machines, copiers, etc.).


3. Keep Tabs On All Your Information

If a device or container is lost, you would need to know what was in it. Knowing what is being compromised and what the implications are both depend on a detailed and current inventory of your data. Know where it is stored, how long you should keep it and who has access to it.

One preventable cause of data breaches is lost back-up tapes. Even if your data is not encrypted, make sure that your storage vendor is taking every precaution to keep your tapes secure. Also, take regular inventory to ensure that all of your data is accounted for.

If your data is managed by a third party do your due diligence to ensure that their facility, processes and employees are equipped to safely and securely manage the information you entrust to them. Your data protection vendor should provide you with 24/7 real time inventory of all your media.


4. Policies, Policies, Policies

Make ‘em, inforce ‘em then stick to ‘em.

From the beginning, make it your policy to conduct thorough background checks on employees and in-depth verification of all venders.

Then take the necessary measures to minimize vulnerability of your devices and data. Limit access to and from devices only to whom and what is operationally necessary. This means thinking critically about who stores and handles your data and how access is controlled.

When creating policies, keep in mind that effective policies do the following:

Outline best practices

Provide thorough documentation of procedures

Include measurements for accountability

Provide protection for the organization


For additional information on how to secure your data, see the FTC’s publication on Protecting Personal Information