Proactive Strategies in Data Breach Response

The incidence, frequency and severity of data breaches are increasing steadily year over year and the average total cost of breach detection and escalation exceeded $1.58 million per breach last year. By preparing for these events before a breach occurs and proactively understanding the processes that will be involved in analyzing impacted data, organizations can improve their ability to comply with breach notification requirements and minimize the negative effects. 

Among the most burdensome aspects of breach response are identifying the data that was affected, confirming whether the breach exposed commercially sensitive information, and determining whether notices must be issued to data subjects, customers or partners. In scenarios in which a breach has created commercial risks or notices to individuals or customers are necessary, mining the data to determine what should be included in the notices and to whom they should be issued is a significant lift. Typically, sophisticated data analysis must be executed across large volumes of disparate, and often duplicative, data and documents. 

FTI Technology recently published a white paper detailing the challenges involved in data mining during breach response, strategies for alleviating those challenges and proactive steps organizations can take in their information governance programs to reduce burden and risk. Key issues covered in the paper include:

• Challenges in breach response.
  • Large data volumes and identifying the impacted data set.
  • Technical roadblocks.
  • Competing demands between privacy requirements, regulatory obligations and business pressures.
  • Varying privacy laws.
  • Understanding the business sensitive content that was impacted and contractual obligations regarding notice.
  • Issuing data subject access requests in parallel with breach notices and investigation.
  • Managing the threat of class and collective actions and loss of privilege through breach investigation processes.
• Workflows for responding to a breach.
  • Scoping and analysis to determine data requiring deeper scrutiny for the presence of personally identifiable information and/or sensitive business information.
  • Advanced analysis to determine priority categories of interest.
  • Data extraction using analytics and machine learning to eliminate irrelevant data and accelerate manual review wherever possible.
• Continuous improvement for information governance, privacy and security.
  • Implementing record retention and disposal policies and procedures to reduce the amount of information stored within the organization.
  • Understanding and recording which systems contain personal information and business sensitive information.
  • Evaluating reporting that is extracted from structured systems containing personal information. This helps to ensure that the removal of personal data from those systems is necessary and proportionate and that destination locations are secure.
  • Implementing robust privacy and data protection policies and procedures, particularly the preparation of data maps and data subject request response procedures, as well as privacy technology to support the program.
  • Ongoing auditing and monitoring of the privacy program.
  • Periodic information privacy risk assessments and an internal privacy and data protection audit program.
  • Periodically revising the privacy and data protection program as laws emerge and change and to comply with changing regulations and accreditation requirements.
  • Promoting privacy, data protection and security awareness within the organization and related entities, helping to build a culture of data protection and compliance.
  • Breach response process development including scenario-based tabletop exercises. 

A comprehensive look at the lifecycle of breach response and the data complexities and challenges that often arise in these matters is provided in the white paper: Proactive Strategies in Breach Response. For additional information and to learn more about data breach investigations, visit FTI Technology’s resources here.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.