The Cow and The Ditch: What To Do After A Data Breach


While the proper thing is to focus on avoiding data breaches and security incidents before they even happen, unfortunately they still do. According to the Identity Theft Resource Center, there have been nearly 800 data breaches over the course of the year so far with nearly 30 million records exposed. Many of these were the result of basic employee error, but some have been much more sophisticated. While you might not anticipate a breach, you should at least plan for one.

In this series, we’ve already discussed establishing a good security hygiene checklist and reviewing the pros, cons and alternatives to passwords in this series. But what processes should be in place in case a data breach happens despite your best efforts?

Start with the basics

As a general rule on how to respond to any crisis, I like to use a quote from Anne Mulcahy, the former CEO of Xerox: “FIRST, get the cow out of the ditch. Second, find out how the cow got into the ditch. Third, make sure you do whatever it takes so the cow doesn't go into the ditch again.” The only thing I’d add is keep calm and don’t panic.

From a more tactical perspective, there also are a number of different guides and standards that can provide you with steps to follow when managing a security incident. Indeed, you might already have an Incident Response Policy, Forensics Policy, and a slew of other overlapping documents that are often chucked out the window once something bad happens. Additionally, most states have passed security breach notification legislation, and depending upon industry and type of data, there probably are a multitude of specific actions you have to perform to meet your regulatory obligations.

Understand what happened

Like snowstorms, every data breach is unique. It’s not always the amount, but the type of snow (or in our case, data) and accompanying conditions that determine how it actually affects you.

Before you can determine how to approach a data breach, you need to quickly understand what has actually happened. This is unfortunately where the cow analogy fails you though, because once data is gone, you are not getting it back. From a crisis response process though, back to the cow.

This is also a good opportunity to leverage another well-worn management consulting phrase: “you need data to make informed decisions”. In the immediate aftermath of a breach, identify exactly what data was compromised and who is impacted, whether it was internal, external or both, and over what time period. Once you know what the cow is and what the ditch looks like, this will guide the rest of your response including containment and protecting what is important by plugging the leak.

Create a communications plan

What’s often missing from all of those mechanical processes mentioned above is how to clearly and efficiently communicate with those you have just impacted. After a breach, lawsuits can be inevitable. Communication and appropriate handling of those impacted after a breach -- beyond what’s required by law -- is critical. Breaches are rough and they tend to happen to everyone in varying degrees eventually. But treating breaches as a purely tactical security and compliance issue, and not addressing the more human, emotional side, can lead to additional and unnecessary damage. There is a natural inclination (I’m looking at you general council), to go into full defensive mode, but don’t underestimate the value of empathy and transparency in helping to reduce business impact.

In your communications plan, you need to take responsibility and be completely transparent with those affected. If customers are involved, make sure that customer communications are posted in a timely fashion and in a place where they will read them. Also look into increasing customer support and explaining how this will be avoided in the future.

Look beyond yourself

Criminals are in the game of stealing data because it is a commodity that has value and can be sold, or they might attempt to extort money. Another reason to attack someone though is that they might be a soft target compared with the actual intended victim. Credentials stolen from one business can become a way of gaining access into their customers, including bigger corporate systems (e.g., Target, Home Depot). So a breach at your organization might not put you in the top 10 or 100 for data record count, but the broader impact has the potential to incapacitate you and your customers.

Unfortunately, this has lead to some organizations learning the hard way about why they need to enforce stricter security controls for their third-party partners and vendors. Manage third-party risk before their issues become your own, and identify those that could have the greatest impact upon you. All relationships are not equal, and neither should the controls you use to protect you and your company, so focus your efforts on those that can do the most damage.

Learn for the future

Help limit the impact now and in the future by applying additional controls around your valuables and make sure you have a measured and appropriate response ready. After a data breach and once the dust has settled, inventory and assess existing security capabilities. The threat landscape constantly evolves, as do security solutions. Quick gains can often be made by enabling new or expanding existing capabilities.