The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

Stephen Treglia, JD, HCISPP, Legal Counsel & HIPAA Compliance Officer- Investigations, Absolute Software

July 27, 2015

3 Min Read
Dark Reading logo in a gray background | Dark Reading

If your organization experienced a data breach, would you be prepared?

In this situation you need to act quickly to not only meet various compliance regulations, but also to limit the scope of the damage caused by the breach. In a recent Ponemon Institute report, the average per-record cost of a data breach increased by 12 percent over the past year. The report also demonstrated a direct correlation between how quickly an organization can identify and contain data breach incidents and financial consequences.

What should an effective data breach response plan look like? The plan should be well-defined, concise and rehearsed. Much like a fire drill, all employees of your organization should be aware of the procedures and how to act almost instinctively. And, while levels of urgency will depend on the severity and scale of the breach, there are standard operating procedures to follow during those crucial first 24 hours.

Diagnose the Situation
Businesses need to swiftly and accurately diagnose the severity of a breach. Has a corporate device been stolen? Has your server been hacked? Have you been hit by a distributed denial of service (DDoS) attack? Once the threat has been properly identified, you should enact automated controls: for instance, in the case of a stolen laptop, a company would activate any underlying embedded technology solution to either remotely delete the data, track the stolen device, or cut its connection to the corporate network.

Assign Roles
This is the stage where roles need to be assigned amongst your team to address legal and containment issues. Your organization must also appoint somebody with sound communication skills and with thorough knowledge of the problem to interact with the relevant stakeholders.

Document the analysis & investigation
Documentation is everything, and you must make sure that you have all of the facts at hand. Depending on the type of data that has been compromised, your customers and the authorities will want the full picture.  Evidence has to be properly collected and logged; not only for these reasons, but so the root of the cause can be properly identified and prevented from happening again. Once established, you should ensure that you have several people in the organization who can liaise with anyone who may be concerned about the breach including business partners, customers, or any third parties.

Review your response
Once the threat has been identified, contained, and analyzed, you can get your system back up and running (once you are certain that it is safe to do so). It is at this point that you need to review your response and existing policy to establish what was handled well, and how it can be improved for the future.    

Learn from your experience
You’ve made it through the first 24 hours, but more work needs to be done. Threats to your data do not remain static. They are in a constant state of flux and require your business to stay ahead. Here are three suggestions for applying what you’ve learned from the experience to improve your existing procedures:

  1. Assess where you are – and aren’t -- in compliance with any and all relevant governing regulatory bodies.

  2. Implement a regular, robust security audit. Typically, these are done quarterly, however you should regularly audit your data security measures.

  3. Educate your staff. Employees can often be the weakest link in the organization, so awareness of what is expected and what the risks are should be regularly enforced

At the end of the day, you will never achieve a position where you are completely immune from a data breach. However, you can ensure, through policy and practice, that your business is ready to respond in an appropriate fashion to contain the attack.

About the Author

Stephen Treglia

JD, HCISPP, Legal Counsel & HIPAA Compliance Officer- Investigations, Absolute Software

As Legal Counsel and HIPAA Compliance Officer to the Investigations Section and Recovery Services Department of Absolute Software, Stephen Treglia oversees the worldwide department staff of more than 40 investigators and data analysts. Stephen recently concluded a 30-year career as a prosecutor in New York, having created and supervised one of the world's first computer crime units from 1997-2010. Stephen is a renowned nationwide lecturer, teacher and writer on a variety of legal topics.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights