Your Breach Response Questions Answered: A Q&A with IDX’s Leading Breach Experts

Expert advice on steps to take following a data breach, and how to overcome key challenges

Data breaches are virtually inevitable in today’s world of increasing cyberattacks, and it’s essential for organizations to continually optimize their incident response planning and execution. We spoke with Ian Kelly, SVP, Data Breach Solutions at IDX, and Denyl Green, VP, Client Services at IDX, to learn how organizations can better respond to data breaches and how IDX is helping to mitigate the damage caused by these incidents.

What’s most important when responding to a data breach?

IK: A response is based on what parts of the client’s business might be impacted. Phishing, for example, potentially leads to an analysis of internal systems to understand what was accessed by the bad actor. They’re also looking at whether they have a notifiable data breach. If employees are affected by the breach, clients have a sense of urgency in making sure they’re protecting those employees. And ransomware creates a whole other host of problems, because the ransom typically locks up the company’s operations and potentially stops them from conducting business. The number one concern there is getting systems back up and running.

DG: The type of information that has been breached dictates the sensitivity surrounding the incident, and the way clients think about the services and assistance that they want to provide to customers. A client has increased sensitivity if customers are experiencing fraud issues or believe their accounts have been taken over as a result of the breach, resulting in upset customers and impact to their brand. These considerations all feed into how we at IDX answer questions and handle callers reaching us regarding the incident.

Does the approach change if it involves stolen or missing assets, such as hard drives, thumb drives, or laptops?

IK: I wouldn’t say that it has a ton of impact unless the data itself has been found somewhere. What raises the alert, regardless of whether it’s a lost asset, or a hack or ransomware, is what are the chances the data will be misused? When organizations find their data on the dark web, or there’s a threat that’s been exposed to the public, that raises the alert level more so than how the incident happened. Of course, as a part of any incident, the organization should conduct a thorough root cause analysis on how the breach occurred and shore up any security or privacy deficiencies.

Is breach response different for public sector entities vs. the private sector?
IK: Public entities tend to look at this primarily in the vein of their regulatory responsibility and how they administer that. It’s a bit different from a company that may be thinking of it more personally, more emotionally, more about how their customers are impacted. That’s not to say government entities don’t care about the end user. But brand reputation issues rise to the top in the private sector, whereas that’s not as much of a concern with public entities in the pre-breach scenario.

What’s the very first step an organization should take if they believe they’ve experienced a data breach?

IK: Gather your internal response team together, discuss the organization’s cyber liability insurance policy, and speak to your attorneys. Keep as much stuff under privilege as possible. You want to move fast and stay ahead of the incident, so you can control the narrative. Before you make any decisions on what you’re going to do and where you’re going to spend money, consult your broker or risk manager to understand what’s covered under your insurance policy.

How can organizations avoid common stumbles?

DG: Once initial internal steps have been taken, the next step is partnering with an entity like IDX to work through the requirements that have been dictated. You understand that you have an incident, you know your regulatory requirements. Now you need execution. The clients that stumble the most with this are those that don’t have a good internal team or process already planned and built out.

What advice would you offer companies that want to be better prepared for cyberattacks?

IK: Have an incident-response plan in place, and make sure your team knows their responsibilities. The incident-response team should be cross-functional and include different departments, maybe including external vendors and consultants. Have a clear understanding of who is responsible for what decision throughout the process, and test it. At least annually, do tabletop tests where you run through a fake incident to make sure you know how to get everybody together, what decisions need to be made and in what order. Include your vendors in those exercises. Once you have a better understanding of the organization's risks, you can make better decisions on where to invest in security and/or insurance.

What cyberthreat trends have you seen in the past year?

IK: Breaches are not slowing down. Ransomware is still a huge problem. You’re still seeing bad guys come up with new ways to get into systems, and you’re still seeing the good guys playing defense to try and fix problems as they arise. As far as our industry goes, the shift is in customer service. It’s about looking for new ways to provide top-notch customer service not only to our customers impacted by data breaches, but to end users who are the victims of these incidents.

DG: We’ve seen an increase in third-party breaches, where organizations—like large healthcare organizations with several sub-entities—have their clients impacted by a system breach. For example, we have assisted some large call center providers whose client bases were impacted; they have a phased approach where they first have to notify the companies whose customer data was compromised and provide an opportunity for those corporate customers to opt into participation in notifying their impacted customers. A phased approach makes a project much lengthier and more unwieldy.

What are the biggest hurdles that companies face in responding to data breaches?

IK: Agreeing on how to communicate what you need to say, and balancing how much information to give the public. A breach is a PR event. Organizations are concerned about their reputation; they’re concerned about customers leaving. Only until an organization goes through one of these can they really understand how difficult it is to message properly.

DG: The main challenges fall within the mechanics of notifying a large group. The company is hoping it has the information to notify the impacted individuals. There’s a whole mix of what those records look like; not everyone will have a good mailing address or a good email. Are you meeting your obligation if you can’t actually reach at least a third of the impacted population? Regulations may then dictate that you notify via press release. Suddenly the messaging is public, and you have to be very careful about it.