The assertion that data breach prevention and preparedness is strictly an information technology security issue could not be further from the truth. Proper planning for, and response to, a data breach event requires a multi-faceted approach, with participation from diverse elements of the organization. Although an IT Security department may be an obvious choice to lead the development of data breach incident planning, business continuity professionals possess an array of preparedness approaches, processes, skills, information and relationships that could contribute to the development of appropriate levels of preparedness to respond to this type of crisis. Furthermore, as business continuity professionals continue to seek new areas in which they can add value, data breach is an excellent opportunity.
This article presents the business case as to why business continuity professionals need to learn about this unique threat and how they can add value to the planning effort.
Why Data Breach? Why Now?
According to Privacy Rights Clearinghouse, since 2005, more than 400 million personal records have been breached. Further, the 2009 study by the Ponemon Institute found that data breaches cost organizations an average of $204 per compromised record, and the total cost for a data breach averages $6.5M. With huge financial, reputational and operational impact potentials, and the emergence of demanding federal and state regulations (e.g. the HI-TECH Act), the threat posed by a data breach is real. As such, executive management, at all levels throughout the organization, cannot ignore this issue or the corresponding obligations to prepare and respond.
Taking a quick step back, what is a data breach? A data breach is defined as unauthorized access to, or an authorized disclosure of, sensitive information. The outcomes of a data breach range from minimal impact, to reputation impairment, fines, compliance issues and lost future business due to a lack of customer confidence/trust. Although recent regulatory requirements regarding data breach notification focus on Personally Identifiable Information (PII) and Protected Health Information (PHI), an organization must consider responses to a loss of confidential and other proprietary data as well.
Unfortunately, many organizations think that a “fortress mentality” will eliminate the need to prepare for a data breach. Yes, prevention is a critical element of the organization’s risk management effort, but, unfortunately, solutions such as firewalls, complex passwords, encryption and a multitude of other solutions cannot completely eliminate the threat. Why? Because in the end, there will always be the possibility of human error and/or a savvy adversary, and information subject to data breach response and notification isn’t limited to what’s stored in the data center. Hard-copy documentation, recordings, flash drives and laptops all hold critical, sensitive information. Inadvertent disclosures and online postings could also constitute a data breach.
With this in mind, together with the changing regulatory landscape, data breach planning is critically-important – and far from optional. Organizations are carefully balancing the development and implementation of preventative and reactionary controls.
The Business Case for Business Continuity Involvement
So, who should own this effort? And, more importantly, what role does the business continuity program need to take to assist in preparing the organization to minimize impact and meet all stakeholder obligations?
Before answering these questions, it is important to revisit the most common expectations raised pervasively by executive managers in all industries and in organizations of all sizes. Prepare, but do so in a pragmatic, efficient and well-coordinated manner. Simply put, leverage the best analyses to drive focused preparedness, develop threat-independent response processes, and stay compliant with legal and regulatory requirements. Developing and implementing diverse response processes runs contrary to these expectations. For example, it’s all too common to see organizations develop “all-hazards” crisis management processes/teams, only to reintroduce the same participants to one-off processes/teams charted to address specific issues, such as product recall, public health events and data breaches.
Although these events have unique issues to address, a true all-hazards approach (and a flexible, cross-functional team) can help steer the organization toward an effective response, thus minimizing impact in a cost-effective manner. This is where business continuity professionals can add value.
Although business continuity planning isn’t a one-size-fits-all effort, most organizational preparedness approaches result in:
- A business impact analysis (BIA) / risk assessment, including knowledge of the organization (and its information, including where it is maintained), its technologies and key subject matter experts
- A crisis management process, plan and team
- Training and awareness programs, including exercises
- Executive sponsorship and participation
Armed with these processes, solutions and information, the business continuity professional can assist with data breach planning. But what role – or roles – could the business continuity professional perform?
The Business Continuity Professional’s Recommended Role
An effective business continuity professional has a number of traits that enable successful outcomes, including:
- Communication skills
- Analytic capabilities
- Team and meeting facilitation experience
Each of these three common traits can enable the business continuity professional to offer value-added support to the data breach planning effort, namely:
- Leading the planning effort and facilitating the development of solutions
- Participating as a team member under the direction of another organizational entity (e.g., IT Security)
It’s important to note that neither of these roles implies that the business continuity professional is solely responsible for developing solutions in a vacuum. No one in any organization has all the knowledge to single-handedly build a data breach response process.
However, if the business continuity professional was asked to lead the preparedness effort (or volunteered to do so after noting a preparedness gap), the optimal five-step approach would be to:
- Build a team
- Review past analytic work for planning priorities, and assess legal and regulatory requirements
- Evaluate existing response plans and processes for use in leading the data breach response processes
- Build the unique elements of the data breach response approach, including communications and notification processes, and layer these procedures into the existing plan
- Train the crisis management team on how to assess these situations and respond accordingly
In a recent joint white paper, Finding the Right Balance: Data Breach Prevention vs Response , Avalution Consulting and Immersion offered additional detail on each of these topics.
By utilizing the analyses and solutions already in place, the business continuity professional will not only enable the closure of a preparedness gap, but also enable this closure in a more simplified, cost-effective manner.
Business continuity professionals have a unique opportunity to take a role – leadership or participatory – as it relates to data breach planning. Maturing business continuity programs can further expand the value provided to their organizations by leveraging organizational knowledge, processes and solutions to expand the scope of the preparedness effort in a cost-effective manner that aligns to management’s expectations of a stream-lined, actionable, efficient all-hazards planning approach.
Avalution Consulting: Business Continuity Consulting