Contact Outside Parties
Once the problem is under control, Calhoun says the task force should start notifying the local authorities, the internal legal department (and any outside legal experts), and the public relations department. It's important to communicate about the breach after the problems have been resolved meaning, all resources should be used to stop the breach first.
In some industries, such as healthcare and financial services companies, there are requirements for reporting the data breach within a set period of time. Data breach notification laws vary on state and federal levels, but they could require disclosure in as little as 24 hours. However, Calhoun says not all data breaches come with that requirement: "Disclosure comes as a part of what happened if credit cards were stolen vs. a breach of internal intellectual property."
Resolve Any Related Issues
It might seem obvious, but companies must address the long-term implications of the breach by resolving any other related problems throughout the organization. The security flaw that led to a breach must be fixed immediately, but "remediation" is a thorough process that can take much longer and involves looking for other potential flaws, Calhoun says. Without remediation, another strike could occur, as the firm has become now a target for attack.
"Companies should make a remediation plan that's tailored to the incident. This means that the company must undertake a true and honest assessment of what happened and the cause or causes for the incident," Melnik says. "The remediation plan should include addressing any security issues, but also employee training and monitoring programs."
After this remediation stage, there are additional steps to take continued analysis of the security infrastructure, for example, as well as more penetration testing and additional remediation. But Calhoun says the first steps of fixing the breach and reporting it to authorities are the most critical.
Sign up for CIO Asia eNewsletters.