Data Breach Plan for a Board of Directors

Nicholas J Price
Having a data breach plan is a matter of governance. According to the Worldwide Infrastructure Security Report, advanced persistent threats (APT) have increased by 36% since 2012, and mobile attacks have doubled.

Board directors are responsible for making sure that they place the shareholders' best interests at the forefront of their decision-making as part of their fiduciary duties. They're also responsible for making sure the corporation abides by all federal, state and local laws, which include data privacy laws.

Board members are responsible for determining the corporation's business strategy, which includes forming a data breach avoidance plan and a data breach response plan.

Boards need to consider the types of confidential, sensitive or protected data that their corporations hold. This information includes personally identifiable information, protected health information, cardholder data, and trade secrets or other confidential information. Boards must prioritize the allocation of financial and human resources to make sure this information stays protected.

With the rise in cybersecurity attacks, boards need to think about when a cyber-attack might occur, rather than if one will occur. The adage 'Failing to plan means planning to fail' certainly applies here.

Risks of Failing to Plan for Cybersecurity Attacks

Boards that fail to make risk avoidance and risk response plans set their corporations up for a host of potential litigious risks and financial penalties. Consumers can sue the corporation for a data breach that can expose their personal and financial information. Banks can sue the corporation for the costs of compensating consumers for helping to restore their lost funds and credit. Shareholders can sue corporations for the reduced value of their shares. Corporations can be subject to legal fines or other penalties. Boards that fail to manage cyber breaches effectively open their corporations up to vast reputational risk, which has a trickle-down effect on all operations, and will almost assuredly affect profitability.

Developing a Data Breach Plan

Board directors need to keep two things in mind when developing their data breach plans. They need to know what to do and who they're required to inform that the breach occurred. Actions must be comprehensive, well-planned and well-rehearsed. The actions of the corporation and the board must be prompt, so there's no time for planning and taking action once a breach happens.

With many corporations conducting business globally, forming a comprehensive plan also means thinking beyond the company's corporate borders. New laws and regulations about customer data privacy are either already in force or are currently being debated. Corporations must be able to demonstrate that they're abiding by all applicable laws and regulations. The primary actions that boards should be taking if they haven't already implemented their cybersecurity plans are as follows:

Conduct Risk Assessment

The first step that boards need to take is to conduct a comprehensive, corporate-wide risk assessment. Third-party experts can be valuable resources in conducting or validating the assessment. The assessment should reveal which assets are the most susceptible to risks and where the corporation's greatest exposures to threats are.

The next step is to take this information to the corporation's insurance broker and learn more about the cyber insurance policy. An insurance professional can offer guidance about the types of insurance coverages and policies that will best protect the corporation in the case of a cybersecurity breach.

Be Ready to Take Swift Action

As part of the Data Response Plan, boards must be ready to take action quickly. Boards will need to determine the types of circumstances and situations where it's appropriate to notify the insurance broker, their attorneys, law enforcement, authoritative bodies and consumers. An overall communications plan is extremely helpful in knowing whom to notify and knowing the circumstances that trigger communication.

Developing a Data Breach Avoidance Plan

Boards may find it most productive to appoint a Cybersecurity Risk Committee that will report the plans and activities to the rest of the board, rather than taking up vast amounts of board time for it.

Developing a Data Breach Avoidance Plan will require collaboration among a team that's comprised of a board committee, senior-level executives and IT experts. The cybersecurity team usually starts by creating a data map, so they can determine what data they have and how it flows through the corporation. They must also determine where they send data outside of the company as well.

From there, they'll need to determine and document which regulations and laws apply to each piece of data. Once the data has been collected, the team can categorize it based on sensitivity and the impact that a breach would cause on the corporation. This information should lead the team to the right approach to implement appropriate data security protections.

The team will also need to consider and review whether current processes follow all data security representations in their privacy policies and other consumer communications ' and make changes or modifications, if necessary.

The Data Breach Avoidance Plan must factor in the corporation's relationships with third-party vendors and make sure that the plan extends to transferable data inside and outside of the country where the corporation has its headquarters.

Finally, any new details warrant a meeting with the corporation's insurance broker to review the cybersecurity insurance policies and make modifications as necessary.

Developing a Data Breach Response Plan

The Data Breach Response Plan details what boards should do or make happen in the 48 hours after the corporation detects a data breach.

The Plan should identify who composes the data breach response team. Each member of the team should know the exact steps they need to take in the event of a data breach. The Plan should identify and declare which roles should act as key witnesses in any litigious matters or regulatory proceedings.

The plan should include a list of outside vendors that boards need to consult if a breach occurs. The Cybersecurity Committee should test the response plan regularly and make adjustments as needed.

Finally, the Data Breach Response Plan should examine the effectiveness of the response plan and the corporation's efforts to mitigate the impact of the breach.

A Data Breach Plan Is an Ounce of Prevention

An ounce of prevention can prevent a major disaster down the line. Once corporations take steps to form data breach plans, they need to train relevant staff and rehearse their plans periodically.

Ultimately, having a data breach plan should lower the cost of a data breach, reduce the risk of expensive litigation and lessen the incidence of regulatory scrutiny.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.