alexlukin - Fotolia

Manage Learn to apply best practices and optimize your operations.

Best practices for security data breach reporting

The security data breach public response times from Target and Neiman Marcus were noticeably different. Expert Joseph Granneman explains which one works best.

I've seen two separate approaches taken to data breach remediation recently. On the one hand, Target's CEO at the time of the breach had been very forthright and the company has been actively communicating with affected customers since the breach was discovered. On the other hand, Neiman Marcus CEO Karen Katz waited several days to issue a public statement after rumors of her company's breach were confirmed. In general, how would you, as a CISO, advise a CEO to handle a breach publicly? Is there anything to be learned from these two examples?

There are several factors that contribute to how quickly a company can report a data breach that must be taken into account when comparing these two incidents. The circumstances of each data breach are unique, so it isn't fair to compare or scrutinize company responses without firsthand knowledge of each incident. Neiman Marcus may not have had all of the information needed to go public, for example. The accuracy of what is reported to the public is just as important as the timeliness of the report. It can be time-consuming to identify the point of entry and the number of records or devices that have been compromised. Law enforcement may require a delay in notification until they have more information about the perpetrators as well.

The unfortunate modern-day reality is that there is a good chance a data breach will occur. It is naive for an organization to operate in the mind-set that its systems are impenetrable and that all its data is always completely protected, because it is an ever-changing risk environment. The best-prepared organizations have accepted this new reality and developed formal incident response plans for when a data breach does occur.

A well-thought-out incident response plan is critical to an organization's ability to navigate through all of the actions required during a security incident. The incident response plan should guide the organization through each phase of responding to a data breach, including discovery, investigation, mitigation, communication and prosecution. It should have roles defined for each member of the incident response team, including oversight, public relations, finance and technical teams. These roles will allow the organization to respond as quickly and as accurately as possible given the wide variation of potential data breach incidents.

There are too many factors that play into how quickly an organization communicates a data breach to the public to make comparisons between responses. The best-prepared organizations use an incident response plan as their playbook during a data breach investigation. I would rather judge an organization by how well its incident response plan helped it through the incident than the time it takes to report the incident. The organizations that deserve further scrutiny are those that are ignoring the reality of the modern threat environment and have no incident response plan in place.

Ask the Expert
Have questions about enterprise security management? Send them via email today! (All questions are anonymous.)

Next Steps

Learn how to create a data breach response plan in just a few quick steps!

This was last published in September 2014

Dig Deeper on Information Security Incident Response-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.