Develop a playbook and identify incident response team members.

“The very first step in preparing for a breach is to develop a plan and a playbook,” said Pat Gannon, Senior Information Security Manager at KeyBank. “You need to establish who will be involved, what each team member is accountable for, and the steps you will be taking.”

• Identify team members. Team members may include forensics, legal, information security, information technology, management, operations, human resources, communications, privacy, and public/investor relations.
• Consider hiring independent experts. Forensic specialists can help you determine the source and scope of the breach as well as define the remedies needed if the breach is particularly complex or impactful. External legal counsel may have specialized knowledge that will be critical in the event of a cyber incident. Identifying experts beforehand will save time in the critical period after a breach is discovered.
• Know the laws that impact your business. Use your internal and external team members, including legal counsel, to identify laws that may affect how you deal with a data breach.

Develop and implement a communication plan.

“Effective up-front communications can go a long way toward addressing the concerns of customers, employees, and other constituents,” said Gannon. While the messaging must be consistent across all channels, different groups may have different information needs. Consider using letters, websites, and toll-free numbers to communicate with people whose information may have been compromised. As noted earlier, your legal team will provide direction on the requirements for legally required notifications.

• Designate clear roles and responsibilities. Your plan should be clear about the flow of information and how decisions will be made. It is particularly important to decide who will speak for your organization.
• Don’t forget third parties. If service providers were involved in or may be impacted by the breach, make sure they are considered in your plan.
• Know how to contact affected individuals or businesses. People and institutions that are notified early can act to limit the damage. A communications plan is an important part of the data breach response. With proper planning, this difficult part of the process can be handled quickly and smoothly.

Test and refine your plan.

Your plan needs to be continually improved and refined so your company is prepared if a cyber incident occurs. Make sure you do some practice run-throughs of your plan with as many team members as possible participating. After these exercises, perform a “Lessons Learned” and ask what worked, what didn’t work, and what improvements should be made.