A recent study by the Ponemon Institute, LLC reports that data breaches have resulted in an average cost of US$4.8 million per incident (based on an average of 26,300 records lost or stolen, at US$182 per record).
Of the breaches examined in the study, 90 per cent of them were the result of a loss or theft of electronically stored data.
IT professionals play a key role not only in the prevention of breaches but also in the implementation of a prompt and effective response strategy to contain and minimize the damage caused by a breach when it occurs.
IT should get the legal team involved as soon as a breach has occurred or is suspected, even if all of the facts are not yet known.
Decisions requiring legal input, such as whether to notify affected individuals, regulators such as the privacy commissioner, law enforcement and insurers need to be made and acted on within hours, not days or weeks, of a breach occurring.
Experience has shown that an organization’s delay in responding to a breach can significantly increase the damage suffered by the organization as a result of the breach (including greater reputational harm and more legal liability). IT personnel should also immediately seek input from the legal team to implement a protocol to protect communications regarding the incident and the subsequent investigation as “privileged,” so that the organization is not required to disclose this information in any resulting litigation.
To enable legal counsel to determine the appropriate communication strategy and manage the legal risks, IT should provide legal counsel with as much information as possible about the incident itself and the remediation efforts taken or planned. This should include a detailed chronology of the incident, a list of what records were or may have been accessed, the types of information contained in the record, a summary of the steps taken to contain the breach and a description of the remediation plan.