Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Option 2: Data Security Measures

The Identity Theft Resource Center recently reported that a record number of data breaches were announced in 2007. That year, U.S. companies announced 443 breaches, more than one a day. This number was up 40% from the 315 publicized breaches in 2006 (and 158 breaches in 2005). Many of these companies no doubt thought "it can't happen to us." Yet, it did.

Take command of the potential data breach risk by being proactive rather than reactive. Instead of waiting for the inevitable, and responding to a data breach once it happens, take steps to develop a Data Breach Plan.

Although your Data Breach Plan should be individually tailored to meet the specific needs of your company's system security and data needs, there are common features that can be implemented no matter your company's business model. Making these plans now could save you headache (not to mention liability) in the future.

The musical instrument company learned the hard way how a lack of preparation can lead to big trouble and costly fines. Bananas was the victim of a relatively small data breach -- only about 250 persons were affected. However, Bananas did not have a breach plan in place, and scrambled to comply with the various and at-times confusing state laws regulating responses to data breaches. Despite its valiant attempts to comply, Bananas failed to meet all of the various state-law requirements. Bananas ultimately was required to pay fines and fees by the major credit card companies. As the head of Bananas would remark, "They'll fine the pants off you." You can read more about the Bananas incident, and the need for effective data breach planning here [.PDF] (link to .pdf of Jennifer McAdams, "After a Data Breach: Navigating the Tangle of State Notification Laws Can Be Exasperating -- and Costly" (Oct. 29, 2007) (last accessed June 25, 2008). Implementing a successful Data Breach Plan can help avoid such costly incidents.

A successful Data Breach Plan combines aggressive system and data security assessments with a comprehensive strategy to investigate, remediate and respond to a data breach when it happens. You must become familiar with the specific hardware and software that your company uses, the types of data and the manner in which data is stored on your networks, and the security systems that you have implemented to protect that data. This means working closely with IT professionals with the knowledge and experience to set up and monitor system security.

A successful Data Breach Plan takes account of and relies on a variety of individuals in your company, from those handling data collection and storage to those in human resources, to those in customer service interacting with your customers on a daily basis. Ronald I. Raether, Jr., "Security Before and After a Data Breach," Business Law Today Nov.-Dec. 2006 at 61-62. The risk of a data breach is greatly reduced when every individual in your company plays the appropriate role

So what does a Data Breach Plan look like? Follow the links to learn more:

1. Building a Data Breach Plan
2. Implementing a Data Breach Plan
3. Testing a Data Breach Plan
4. Assessing Your Data Breach Vulnerabilities