Deceptions Everywhere ®

Insights on threat and cyber risk trends, use cases for deception technology
and strategies for combatting targeted attacks

Crafting a Data Breach Response Plan and Strategy

Posted by the Illusive Networks team on Nov 9, 2015 2:35:00 AM


So much work, time, and effort are put into preventing a cyber attack, that many fail to plan for the worst: developing a data breach response when an attack actually occurs.

Tweet: According to the #Enterprise Data Security Survey, 1/3 of orgs say a #databreach is inevitable in the next 12 months to the latest Independent Oracle Users Group (IOUG) Enterprise Data Security Survey, one third of organizations state that a data breach is "somewhat likely" to "inevitable" in the next 12 months. An inadequate response can end up eroding customer loyalty, invalidating cyber insurance policies, and costing a company millions.

Understanding Data Breach Response Laws

In 2015, the Obama administration put the Personal Data Notification and Protection Act into action to help protect consumers from the waves of data breaches occurring in the business world.  

Today, if a security incident occurs at a business that serves 10,000 or more customers per year, that organization has 30 days to disclose the necessary information to people who have been compromised.

Penalties for noncompliance can reach up to $1,000 per day, per individual compromised in the data breach – with a maximum of $1,000,000 per violation. That’s no small fee for ignoring notification laws, but it’s nothing compared to state regulations.

<< Do You Know How to Calculate Data Breach Costs? Get the Guide Here >>

As if that’s not enough, most states have their own regulations governing breach reporting. The firm Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. put together a matrix to help companies better understand how to develop a data breach response, and what they are up against.

There are also industry-specific reporting rules that companies must follow:

Data Breach Response 101: Understanding the Basics

While basic reporting guidelines exist, companies need to be smart about how they communicate information to affected customers. Every aspect reported will come under public scrutiny, and customers expect to be protected by the businesses they patronize.

Regardless of the specific state or federal regulation in play, official letters and emails of data breach notification must go out in a timely fashion.

Here are several helpful tips to consider when crafting communications:

  • First and foremost, you should explain exactly what data was lost in the breach and the circumstances that led to its compromise.

  • You’re not writing an eBook, white paper or industry report. Notifications must use concise language that clearly explains the situation and potential risks to consumers.

  • No matter what you write in the notification, consumers will inevitably want more information. Provide a toll-free number for customers to call with any questions.

  • After consumers understand the situation, they’ll want to know how to resolve their problems. Include the next steps they must take to become secure again. One common practice is to recommend (and offer) an identity protection product.

Avoiding Mistakes When Your Company is On the Line

The ugly truth is that data breaches happen often, but companies lose points in consumers’ eyes when they mishandle them and fail to be upfront and honest about it.

Looking at Target’s data breach in 2013, consumers were outraged by the whole situation. The company continues to lose money as it attempts to remedy the incident almost two years later.


Why are people so hostile toward Target when other breached companies, such as Home Depot, aren’t feeling the heat? Target waited over a month to report the breach, they didn’t initially disclose the full details of the breach, and their website FAQ to help compromised customers never seemed apologetic.

Tweet: Defending against data breaches is challenging, but responding to them shouldn’t be such a nightmareDefending against breaches is challenging, but creating a data breach response shouldn’t be a nightmare. Winning over consumers in the wake of a data breach requires general courtesy:

  • Be proactive and send out notifications the minute you understand the basics of the situation.

  • Keep an open line of communications throughout the process.

  • Launch a microsite like Anthem’s PR team did which lays out clear FAQs to help customers get through the tough situation.

Following state regulations is essential to responding to a data breach, but winning over customers requires companies to put themselves in other people’s shoes, and go above and beyond the call of duty when notifying those who have been compromised. 

< Guide: How to Protect Your Shared Drives from Data Breaches >


 Related Articles:

Topics: Cyber Security Regulations, data breach response plan, data breach response strategy

Stay up to date!