Just about every IT leader knows by this point that their organization may be the next data breach waiting to happen. When it does, you might feel like the loneliest person in the building – IT’s designated ‘fall guy’.
But in truth, there may be someone there who ‘has your back’ –ready to offer emotional and professional support, help you assess the damage and plot out your recovery. For some CIOs and CISOs, that most welcome friend might come in the form of a data breach coach.
Information Management had the opportunity to learn more about this new breed of cyber support player from Tim Francis, vice president and enterprise cyber lead at Travelers insurance. Francis shed light on where data breach coaches come from, how they partner with the IT security lead, and what they can do to help protect your organization’s data in the event of an attack.
Information Management: What is a data breach coach, who do they work for, and what are their primary responsibilities?
Tim Francis: A “breach coach” [may be] attorney experienced in security and privacy compliance issues. The “breach coach” can help gather facts surrounding the incident, such as when and where the breach occurred, man-hours spent recovering, and estimates for the overall cost of remediation.
These details are necessary to help re-secure a company’s data network, refine the internal and external communications plan, and serve as evidence if the data breach results in a legal battle. Your cyber insurance carrier or agent should be able to connect your business with an experienced “breach coach” to help it recover from an event.
IM: How did this role come about and how common are these people?
Francis: As data breaches become increasingly complex, this role has emerged to help organizations navigate their response and recovery.
IM: What skills and experiences do they typically have?
Francis: Breach coaches have experience in data breach recovery and understand the increasingly complex regulatory landscape. For example, 47 states, plus Washington D.C., Puerto Rico and the Virgin Islands, have differing regulations for notifying customers that their personal information was compromised in a data breach. Deadline requirements can be from 48 hours to “without reasonable delay.” A breach coach can help a company understand these rules and implement what is needed to navigate them.
IM: How do they best assess data risk and offer data protection strategies?
Francis: If an event occurs and data is exposed, it is important to quickly ascertain how widespread the breach was and if systems are secure. Data should also be categorized to determine whether personal information was compromised, such as Social Security numbers, medical records, or financial information. This will enable the company to accurately and quickly notify customers about what took place.
In their role, a breach coach walks clients through a series of questions in the early stages of investigation that can help establish the scale and notification requirements of the breach. Among the questions he asks:
• What kind of data do you have?
• Where do you keep it?
• Who has access to it?
• How do you secure it?
• When do you purge it?
These are questions that most companies cannot answer. But, when they have a breach, the answers become critical.
IM: Who in the IT department on in data management do they typically work with, and how can they have the most effective relationship?
Francis: There must be a clear protocol in place to identify which employees are managing each component of a data breach response plan. This should include more than just the IT department. For example, it is important to determine who will be responsible for informing the insurance provider and what information he or she needs to provide in the event of a breach. The plan should also delineate which departments, including IT, HR, public relations, legal and operations, are on the incident response team.
IM: How does an organization assess whether they need to have, or work with, a data breach coach?
Francis: In the event of a data breach, all companies large and small can benefit from a breach coach. The company’s cyber insurance carrier should be able to recommend one.
IM: What role do they play after-the-fact in a data breach?
Francis: Companies should think of a breach coach as a first responder. Thinking about how to respond to a cyber event after it happens is a poor strategy. Business owners need to consider cyberattacks just as they would any other risk – like fire, theft, or severe weather – and plan for it as part of their business continuity strategy.
A post-cyber event plan should consider a number of issues, including:
• Notifying customers
• Assessing the scope of the breach
• Handling legal policies and procedures to report the event
• Contacting your insurance agent and carrier, and managing communications