How to write a breach response plan
A data breach can be a nightmare for any business, fail to respond properly though and that nightmare could turn into a full-blown disaster.
If you are responding to a breach as it happens without a plan to follow, things are much more likely to go wrong.
A breach response plan sets out the steps you should take, who should be involved and can be crucial for avoiding costly mistakes. Here is how to write a breach response plan to protect your business should the worst happen.
What is a breach response plan?
It is a prepared plan that covers what your business needs to do in the event of a cyber attack or data breach.
A comprehensive data breach response plan should include:
- Who makes up your response team: This is a list of staff within your business who should be involved in managing your response to any breach.
- A list of external partners who should be notified: This should include your cyber insurer, any external legal team and other key third party businesses you work with.
- Escalation criteria: Including a process for making critical business decisions as the data breach develops. This usually moves through several stages, including identification, containment, and eradication.
- A recovery plan: This should cover how to learn lessons from the breach and a process to manage your recovery in the coming months.
Who should be included in your response team?
Your response team should be made up of key decision makers within your business.
If you’re a small business, this might just be the company directors, for larger businesses it should also include:
- Data protection officer
- Head of IT or data security
- Head of PR or Communications
- Senior legal staff
- Senior compliance staff
- Other senior executives
You should also consider including key external contacts on your response team list, this could include:
- Your cyber insurance incident response team
- Any external legal support you have
Who should you notify of a breach?
Informing the right people at the right time is a crucial step in responding to any breach, so once you’ve notified your response team in house, you’ll need to consider informing relevant third-party organisations.
The list of organisations you should include in your breach response plan are:
- Your cyber insurance provider: Many insurers offer 24/7 rapid response as part of their cover, so the earlier you can notify them the better. They’ll also then be able to advise you on when you need to inform regulatory bodies and other external partners.
- Information Commissioner’s Office (ICO): Under GDPR you have 72 hours to notify the ICO of a breach, but it may not always be necessary. You only need to report a breach if it’s likely to cause a risk to others. Your insurer’s response team and your legal team can advise you whether this is necessary.
- Applicable third-party businesses: This should include key external partners that you work closely with. Whether you decide to notify them or not is usually dependent on whether they will be affected by the breach and again your cyber insurer’s response team should be able to guide you further on this.
Setting escalation criteria
The escalation criteria set out the key considerations for your business at each stage of responding to a data breach, including:
- Identification: The immediate measures your business needs to take to understand the scope of any breach. This includes working out what data has been compromised, the nature of the attack, and if possible how it’s happened.
- Containment: This covers steps to stop the breach and prevent any further successful cyber attacks compromising more personal data.
- Eradication: This covers what you need to do to remove any security issues that are present following a cyber attack.
At each stage, the action needed will depend on the nature of the data breach and it is down to the response team to assess when to move from one step to the next.
Planning your recovery
Unfortunately, the repercussions of having a data breach can be felt for many months, or even years, after the event.
This means your breach response plan should include steps to plan for how your business recovers.
What you include in the recovery stage will depend on your business, but it should include steps like:
- Assessing what security changes should be made to avoid future incidents
- Preparing a legal defence if you could face court action
- Setting up credit monitoring facilities (if applicable)
- Speaking to Human Resources to see if any disciplinary action is appropriate
- Adding the breach to your internal record regardless of whether it has been reported to the ICO
What counts as a data breach?
Not all data security incidents result in a data breach, so if you are worried the first step is to establish whether a breach has actually occurred. There are three main types:
- Confidentiality breaches: where there is accidental disclosure or unauthorised access to personal data.
- Availability breaches: where there is accidental or unauthorised destruction or loss of access to personal data.
- Integrity breaches: where there is accidental or unauthorised changes made to personal data.
What should you do with your plan?
Once your breach response plan has been finalised you need to ensure it’s understood and accessible to your staff, especially those that form your response team.
It’s also worth sharing your breach response plan with your cyber insurance provider, many offer services to review and improve incident response planning processes, so they may be able to further improve what you’ve got in place.
Finally, once your plan is in place it needs to be tested and regularly reviewed. You should consider running a planned, or even surprise test of your response plan to check it has everything your team needs to response quickly and efficiently should a real breach happen.
Data breach response plan FAQs
Do I have to notify the ICO of every data breach?
No, only data breaches that represent a threat to others.
Do I have to tell the individuals affected by the breach?
Yes you may need to notify them if there personal data has been compromised. The guidance from the ICO states:
“If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.”
What happens if I don’t notify the ICO of a breach when I should have?
If you fail to notify the ICO of a breach your business could face a large fine. If you decide not to notify the ICO you should document the reasons why and be able to justify the decision if required.
How often should I review my data breach plan?
At least every 12 months, ideally more often.
If you have a significant change the amount of personal data you process, or if members of staff on your response plan leave the business you should consider updating the plan at that time as well.
Who can help me write a data breach plan?
One of the best ways to create a data breach response plan is to start with a detailed template – you can download one for free here.
Many cyber insurance providers also offer support creating breach response sheets.