An Incident Response Plan (IRP) defines how companies react to a security event, and details recovery procedures. To protect customer information, and ensure a company can continue to operate in the event of a data breach, an Incident Response Plan should be written, tested and reviewed on a regular basis.
Definition of a Security Incident
A security incident is an event that puts sensitive data at risk of exposure. A security incident can include:
- Malware infection
- Distributed denial of service attacks
- Unauthorized access
- Insider breaches
- Destructive attacks
- Unauthorized privilege escalation
- Loss or theft of equipment.
What Information Do I Have to Protect? What Would Happen if I Got Breached?
Data breaches may involve information such as:
- Credit card information (PCI),
- Personal health information (PHI) – medical history, demographic information, test and laboratory results
- Personally identifiable information (PII) – name, SSN, driver’s license information, bank account number, passport information
Company specific information:
- Proprietary data such as patents, copyrights, trademarks, formulas or intellectual property
A data breach could affect an organization in multiple ways. A release of customer information could involve financial penalties, in addition to the loss of sensitive information related to the company’s business practices.
What Could a Data Breach Actually Cost?
The average cost of a data breach is currently $3.92 million. On a per record basis, the cost is calculated at approximately $242 per record in the United States, and approximately $150 per record globally. The final cost per record can be affected by how well an organization is prepared to handle a breach situation, and resulting response procedures. Additional costs include lost business opportunities, regulatory fines, and loss of customers.
Why is a Data Breach Involving PHI So Critical?
A HIPAA violation could be involved, resulting in financial penalties to the organization.
Some reasons why a breach of PHI results in a HIPAA violation:
- The organization failed to perform a comprehensive risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI).
- The organization allowed associated business to access PHI, but failed to sufficiently protect customer PHI through use of a HIPAA-compliant business associate agreement.
- The organization disclosed PHI without permission.
- The organization delayed breach notifications to necessary parties. The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, no later than 60 days following the discovery of a data breach.
- The organization failed to safeguard PHI.
The Importance of an Incident Response Plan
Approximately 30% of organizations are likely to suffer at least one data breach. According to statistics, it takes approximately 7 ½ months to identify and contain a breach. Quickened responses could reduce this timeframe, resulting in significant cost savings. Statistics indicate that companies who have an Incident Response Plan, and test on a regular basis, experienced $1.23 million less in data breach costs, on average, compared to companies with no preparation. An updated Incident Response Plan can reduce the likelihood and severity of further incidents.
An Incident Response Plan is a necessary step to be taken, before a data breach occurs!
How an Incident Response Plan Works
This incident response plan establishes the recommended organization, actions, and procedures needed to:
- Recognize and respond to an incident
- Assess the situation quickly and effectively
- Notify the appropriate individuals and organizations about the incident
- Organize the company’s response activities, including activating a command center
- Escalate the company’s response efforts based on the severity of the incident
- Support the business recovery efforts being made in the aftermath of the incident
Steps to Creating an Incident Response Plan
Plan Before an Incident Has Occurred
- Determine what information needs to be protected.
- Create a team and assign responsibilities.
- Identify threats that could lead to a data breach
- User account/password access
- Social engineering
- Theft of proprietary information – by employees or outside individuals
- Identify types of violations that could occur, and resulting penalties
- HIPAA violation – inappropriate access of healthcare records, protection of
- Improper disposal of PHI
- Unsecured PHI – permitting access to unauthorized individuals
- Unsecured paperwork and portable electronic devices
- Determine the Impact
- Is public safety affected?
- How many customers could be affected by an incident?
- Is Company able to operate?
- Create plans of action
- Document notification procedures to internal personnel and outside parties.
- Document incidents, actions performed, and recovery procedures.
After an Incident Has Occurred
9. Review all procedures, documenting lessons learned and changes needed.
10. Update the plan.
11. Test the plan on an annual basis.
An Incident Response Plan is a necessary part of an organization’s business because it can help organizations mitigate risk, and prepare for a wide range of events that can threaten the confidentiality, integrity and availability of their critical assets, reduce the costs associated with a data breach, and help companies return to necessary operations. CONTACT VESTIGE for a free consultation to discuss your cyber breach response plan.
By Mary Brewer, MBA, BS, AAS