Responding to a Data Breach
No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true. According to the Symantec SMB Threat Awareness Poll Global Results, 40 per cent of the data breaches in 2011 were at small to mid-sized companies.
Data breach response policies are essential for organizations of any size. A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur.
Defining a Data Breach
A data breach is an incident where Personal Identifying Information (PII) is accessed and/or stolen by an unauthorized individual. Examples of PII include:
- Social insurance numbers
- Credit card information (credit card numbers – whole or part; credit card expiration dates; cardholder names; cardholder addresses)
- Tax identification information numbers (social insurance numbers; business identification numbers; employer identification numbers)
- Biometric records (fingerprints; DNA; retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals)
- Payroll information (paycheques; paystubs)
- Medical information for any employee or customer (doctor names and claims; insurance claims; prescriptions; any related personal medical information)
- Other personal information of a customer, employee or contractor (dates of birth; addresses; phone numbers; maiden names; names; customer numbers)
Data breaches can be costly. According to the Ponemon Institute’s Cost of a Data Breach Survey, the average per record cost of a data breach was $194 in 2011; the average organizational cost of a data breach was $5.5 million.
Breach Containment and Preliminary Assessment
A breach or a suspected breach of PII must be immediately investigated and contained. Since all PII is of a highly confidential nature, only personnel necessary for the data breach investigation should be informed of the breach. The following information must be reported to appropriate management personnel:
- When (date and time) did the breach happen?
- How did the breach happen?
- What types of PII were possibly compromised? (Be as detailed as possible: name; name and social insurance number; name, account and password; etc.)
- How many customers may be affected? Read full article >>