Daily Archives: January 26, 2016

Data Breach Response Planning Part I

Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who specializes in helping global companies drive greater value from their IT and Telecommunications investments.

It seems as if no industry or company can escape the potential of a data breach. Over the past few years, we have seen large retailers, health insurance companies, financial services firms, and the U.S. federal government deal with reporting and responding to large-scale data breaches. The first reaction to the threat of a breach is to bolster prevention. While there are clear ways that companies can mitigate the risk of a breach, there will always be someone looking to exploit weaknesses in security systems and protocol. While preventing a breach would be ideal, prevention should work hand-in-hand with preparation for a breach, including having the necessary partners identified or in place to respond to, cease, and mitigate damage. Procurement plays a key role in preparation by working with IT and various stakeholders to determine which types of services are needed for a data breach, as well as supporting the selection and management of the specific suppliers.

There are a few key supplier partners that Procurement should look to establish relationships with in preparation for, or in the event of, a breach:

  • Forensic IT
    While your IT department is very familiar with the systems in place and is able to manage them, they may not have the expertise needed to identify the source of a breach. Forensic IT firms can help identify the source and extent of a breach so that your IT team can focus on securing against the breach and ensuring operations can return to working condition. Procurement should work with IT to evaluate potential suppliers for forensic services based on the organization’s architecture, network, and potential entry points and vulnerabilities. Procurement can look to leverage sourcing activities or existing relationships for IT managed services to identify potential suppliers for forensic IT services.
  • Outside Council
    Unless your internal legal team is well versed and qualified to respond to a breach, you will likely need to bring in additional resources with specific expertise to direct your company on compliance and regulatory implications. When evaluating potential legal firms, Procurement should look for those who have expertise in notification requirements in all fifty states of the U.S. as well as in other countries, as appropriate for the company’s operations, and in your company’s specific vertical (e.g. healthcare, banking, insurance). Because these requirements are evolving, be sure to identify firms that are keeping pace with the most recent rulings and regulations.
  • Credit Monitoring/Identity Theft Repair
    With the increase of cyber threats and attacks over the past few years, firms that used to be seen primarily as credit monitoring tools are leveraging their experience and insight to offer response services that include customer notifications and call centre support, along with credit monitoring and identity theft repair services for affected customers. Procurement should ensure the chosen supplier is able to meet the expertise and capacity needs of the organization and can offer value-add services to bolster your response plan. Some suppliers offer services such as data breach simulations that can help identify holes or potential gaps in the designed response plan.

Procurement will need to consider the best-fit way to contract these services in order to utilize them in an efficient way. These services can be contracted in advance of a breach; this approach guarantees capacity, provides a faster response, but comes with both a monthly or annual retainer and variable costs that correspond with the breach.

You can also looks to purchase these services when a breach occurs; this would eliminate the retainer portion of costs, but would not guarantee capacity, may put you in a less favourable position in terms of negotiating variable rates, and will have a longer lead time. If you chose not to retain services, it would be prudent to establish beforehand a short-list of potential suppliers to approach for the necessary services when breach occurs.

Another option to obtain these service is through a data breach insurance plan; this is certainly an option for many organizations, but do consider your company’s ability to fully develop a response plan, ability to control the response, and reputation risk when working within the confines of an insurance policy. Deciding which services are used, and how they are purchased, will likely depend on your organization’s aptitude for risk and budget that can be allocated to these services. Procurement will need to explore the different purchasing methods against the risks associated with a data breach to determine the appropriate approach for securing these services for the organization.

Whatever supplier partners you decide to work with (whether proactively or reactively) Procurement should identify what they will need to begin working on your behalf and mobilize as quickly as possible. The development of your data breach response plan should also identify the types of data at risk (i.e. beyond customer data) and how a breach of that data will affect your business. This practice will allow you to identify business areas that may need to be involved in the creation and execution of the response plan in order to properly prompt internal action as you engage suppliers.

Now that you have your response partnership (plan)s in place, in our next post we will discuss the next key to a successful data breach response.

Thanks, Torey.