Practical Privacy

How to Lose Your Data In 10 Days

By Heather Federman, CIPP/US

It’s no longer an “if” you’re the target of a data breach; it’s just a matter of “when.” Data loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill-prepared to manage the fallout. While the average cost of a breach equals $5.5 million, the public reaction fosters graver implications. The resulting “business shock” not only paralyzes operations, but it also damages relationships with regulators, partners and consumers.

How can you best prepare and defend your organization? How can we all make 2014 the year of “data stewardship?”

At the Online Trust Alliance, we’ve found one of the best things you can do is create a data incident plan (DIP). The DIP is a playbook that describes the breach fundamentals an organization can deploy on a moment’s notice. A good DIP helps you quickly determine the nature of an incident, immediately contain it, ensure evidence is not accidentally ruined and easily notify regulators. Without a DIP, the breach will harm a company’s brand, increase liability exposure and engender a negative impression on your bottom line.  

So, in honor of the upcoming 2014 Data Privacy Day, here are 14 key tips to help you create your DIP:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.” 
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

These are just the “tips” of the iceberg when it comes to developing your DIP. A well-documented response plan is only as good as the training and readiness of your organization.

Good luck in developing your DIP and hope to see you on Data Privacy Day! 

Note from the Editor:

The OTA will also host Data Privacy Day Town Hall Events on "Safeguarding Data, Respecting Privacy & Enabling Trust." For more information and to register, visit the OTA website. These events are eligible for IAPP CPE and CLE credits.

More from Heather Federman

About the Author

Heather Federman, CIPP/US, is the director of Public Policy & Outreach for the Online Trust Alliance (OTA). She is responsible for framing public policy positions that reflect  OTA’s mission of enhancing online trust, innovation and self-regulation. In this role she co-chairs the OTA Public Policy and Legislation committee and manages OTA’s relationship with members of Congress and related organizations. Heather received her JD with honors from Brooklyn Law School, where she served as a teaching & research assistant for Privacy Scholar Jane R. Bambauer and worked as an advanced student clinician for the Brooklyn Law Incubator Policy (BLIP) Clinic. From 2012-2013 Heather completed her Legal & Policy Fellowship with the Future of Privacy Forum, where she worked on a variety of issues including location tracking, digital advertising, children’s privacy and mobile apps. Heather is a member of the Bar in both New York and New Jersey.  

See all posts by Heather Federman

Comments

  • January 21, 2014
    Darrel Anderson
    replied:

    CSR provides a comprehensive breach notification toolkit that makes reporting effective and efficient. You can do all the prep work u want - but in most cases u hVe less than 72 hours to report a breach to potentially dozens of authorities…..having a service in advance helps….

  • January 21, 2014
    Caitlin Pencarrick Hertzman
    replied:

    It would be interesting to see this list and how it differs for public sector organisations. Both the legislation and risks are much different, at least in Canada.

  • January 23, 2014
    Name
    replied:

    A nice ready, well done. Thanks!

  • January 23, 2014
    Allen Brandt
    replied:

    Great list, thanks for sharing!

    Would be great if you published some follow-on posts with checklists for many of the above items (hint)

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!