Practice Makes Perfect: Are You Perfecting Your Data Breach Response?

Published: September 7, 2016 by Michael Bruemmer

The 5 Best Things a Company can do After a Data Breach

At least once during the child-rearing journey, every parent must counsel a kid who wants to give up on something too soon — playing a sport or musical instrument, participating in a club — because it’s difficult to do well right away. When that happens, the parent may well remind the child that almost no one is great at everything right away; practice makes perfect!

Are you taking that axiom to heart and practicing your data breach response? Are you playing the role of parent and encouraging (requiring) your data-breach team members to keep perfecting their response? Or are you all more like the reluctant child who keeps hoping it won’t matter if he’s not great at kicking the ball if he’s never in a position to score a goal?

If you still need practice, you’re not alone; 81 percent of the companies surveyed by the Ponemon Institute for Experian’s third annual data-breach response preparedness study said their companies had a data breach response plan in place. However, only 34 percent considered their plans very effective or effective. A disturbing 41 percent said their organizations were ineffective or they weren’t confident of the effectiveness of their data breach response plans.

Anyone who’s not confident about the effectiveness of their data breach response plan can increase their confidence and perfect their plans by practicing their responses. Take these steps to practice your data-breach response:

1. Hold a practice game.

As we’ve said before, it’s no longer a question of if a company will experience a data breach, but rather one of when. The best way to know how well your data breach response plan could work is to test it out. Pick one or two possible data breach scenarios and have everyone go through the response process step by step. Do this at least once a year, and put it on your calendar! Ponemon found 36 percent of companies have no set schedule for reviewing and updating their data-breach response plans, and 35 percent haven’t done anything to update theirs since it was put in place.

2. Get the whole team on board.

Internal and external stakeholders should participate in practice play. Involve everyone, from the IT team whose job it will be to detect and halt a breach, to the outside vendor who will manage breach notification letters and staff the call center.

3. Make sure everyone understands the playbook.

Communication is a critical component of any data breach response. Assess how well your communication channels operate during your mock crisis. Everyone needs to know who’s responsible for every aspect of communications, from who will interact with regulators to who will handle the media and public.

4. Train to perfect skills throughout the year.

Once or twice a year may be sufficient for a full-scale trial of your data-breach response, but much like Olympians who perpetually train for the once-every-four-years event, your team needs to constantly train for your data-breach response.

5. Use what you learn to adapt your game plan.

At the end of each test run, you’ll have fresh data, information and perspective on how well your organization is prepared to respond to a data breach. Use that knowledge to assess and refine strengths, identify and shore up weaknesses, and audit your effectiveness. Your practice results should inform the decisions you make to update your data-breach response plan.

Practice does make perfect, and it seems companies know this — even if they’re not yet doing it. Eighty-three percent of the organizations surveyed by the Ponemon Institute said they felt having more fire drills to practice their response could help improve the effectiveness of their data-breach response plans. Practicing your data breach response plan before a crisis occurs can help ensure everyone knows what to do, and is confident doing it, when it’s time to put your plan in play.

Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.