Skip to main content

Data Breach Experts Share The Most Important Next Step You Should Take After A Data Breach

by Nate Lord on Wednesday December 3, 2014

Contact Us
Free Demo

The majority of successful companies of today are well aware of common data security issues and put a great deal of trust into their own efforts towards preventing a data security breach.

However, as demonstrated by recent security breaches of several large, tech-savvy companies such as Target, LivingSocial, Facebook, Gmail, and Twitter, no set of security measures is completely infallible to a breach. What businesses of today have to then consider is: what is your plan of action after a data breach when your security and data loss prevention measures have failed?

We set out to get some pro tips from data security experts on what they would consider to be the best practices for after a data breach has already occurred. To do this, we asked 30 data security experts to answer this question:

"What's the most important next step you should take following a data breach?"

We've collected and compiled their expert advice into this comprehensive guide on what to do after a data breach. See what our experts said below:

Meet Our Panel of Data Security Experts:

Oleksandr Maidaniuk

Oleksandr Maidaniuk is the Head of Quality Assurance Solutions of Ciklum Interactive Solutions with rich experience of dealing with various types of software solutions including client-server enterprise applications, real-time systems and educational desktop software. He has a strong background in such testing methodologies as Agile model and V-model and is especially capable in analysis of business requirements and test planning. His expertise is in applying wide range of software testing methods and test design techniques (static and dynamic: structure-, experience-, specification-based).

The key step to manage the data breach if it already took place is...

COMMUNICATION: both internal (inform employees and involve everyone able to help, i.e. tech specialist, client service managers, PR & communication team, etc.) and external (direct mailing to the clients, official media release - and, if necessary, also interview to the profile press).

Basic rules in this case are:

  1. Be open and sincere. Admit if the fault was on company's side and accept responsibility.
  2. Provide details. Explain why the situation took place.
  3. Mitigate. Make conclusions out of the disaster and describe solutions for affected users. If possible, prepare a special offer for the affected audience.
  4. Educate. Explain how to prevent similar issues in the future.
  5. Invite to dialogue. Involve your clients, industry experts, analysts, media people and general public to the broader discussion about the source of the problem.

Usually, such approach will allow you not only to minimize the negative impact of an IT security accident, but (when implemented correctly) will show your company as the reliable and transparent partner, which is able to operate correctly even during the crisis situation.

Jay Botelho


Jay Botelho is the Director of Product Management at WildPackets, a leading network analysis solutions provider for networks of all sizes and topologies, and has been with the company for more than nine years. His key areas of expertise include wireless networking, handheld devices, database software and applications, embedded software and network management software.

The most important step to take after a data breach is...

To understand the root of the issue.

Engineers can use forensics to analyze traffic and instantly determine the root cause of an event, entirely removing guesswork and problem reproduction from the equation. Effective forensics provide these four key capabilities:

  • Data Capture: Capture all traffic, 24x7, on even the fastest links
  • Network Recording: Store all packets for post-incident, or forensic analysis
  • Search and Inspection: Enable administrators to comb through archived traffic for anomalies and signs of problems
  • Reporting: Through data capture and analysis, results of investigations are logged and network vulnerabilities are reviewed and analyzed post-mortem.

Perhaps most importantly, forensics solutions capture data 24/7 and automatically analyze all data collected in real time, which means all the data you need for analysis is available at a moment's notice. Whether the problem with your mission-critical app is across the room or across the world, forensics gives you immediate access to the most detailed analytics available to get to the root cause of an issue.

Andrew Avanessian

Andrew Avanessian is the Executive Vice President of Consultancy and Technology of Avecto, a security software company that sees security as an enabler.

Nearly half of security leaders believe a major security breach will happen in the future, yet the post-breach plan that IT decision makers have in mind is fundamentally flawed. Why? These plans are reactive when they should be proactive...

I recommend spending less time trying to close the door after the horse has bolted and instead move to a proactive security model. While it might seem like a complex and arduous process, it can actually be quite simple.

Many organizations fail to meet even the very basic security steps recommended by the SANS 'First Five' or the Australian Department of Defense, which highlight tactics that create a more defense-in-depth approach to security.

For instance, while perimeter technologies like firewalls can prevent against certain types of external attack, it cannot block malware that has already found its way onto endpoints within an organization. Organizations should instead create a multi-layered strategy that incorporates solutions like patching, application whitelisting and privilege management, which will help limit the pathways for malware to obtain sensitive data.

Implementing these proactive technologies is crucial, but organizations must ensure they do not come at the expense of worker productivity. It's a difficult balance to strike - the Internet ultimately creates a gateway for malware to enter organizations, yet users require constant connectivity to do their jobs. Here is where solutions like sandboxing come into play, isolating Web browser threats behind the scenes, while employees are able to work freely and without compromising the organization.

Jason Maloni


Jason Maloni is the Senior Vice President & Chair of the Litigation Practice of LEVICK and is a seasoned crisis communications professional who has been at the center of some of the most complex and challenging reputational issues and business disputes of our day. In 2009, Mr. Maloni managed the LEVICK team in its work on behalf of Heartland Payment Systems. Heartland was at the center of what was then the world's largest data breach. Mr. Maloni has deep experience on a variety of high-profile issues ranging from cybersecurity and data breaches, to product recalls and white collar criminal matters.

When it comes to the most important next step you should take following a data breach, the simple answer is...

Once you understand the forensics you need to communicate the facts:

  • What happened
  • What you're doing about (i.e. we fixed the problem)
  • And what you're doing for those affected.

Few people care what got you into this situation in the first place. They care what you're doing to make it right.

Stephen Ward


Stephen Ward is the Vice President of East Coast USA of Pinkerton, an international leader in operational risk management services and security, and has more than 20 years of experience on computer forensic intelligence and corporate intelligence.

In event of a data breach, the first thing you should do is...

Bring in a third-party IT professional that specializes in incident response and gap analysis.

The data breach happened on your current IT provider's watch, so they have a vested interest in keeping your business, and may not tell you the whole truth. By bringing in an unbiased, third-party specialist, you can discover exactly what has been accessed and compromised, identify what vulnerabilities caused the data breach, and remediate so the issue doesn't happen again in the future.

Robert Ellis Smith

Robert Ellis Smith is the leading expert on the right to privacy in the U.S. and the Publisher of Privacy Journal, the most authoritative publication in the world on the individual's right to privacy. He is an experienced journalist, a lawyer, an author of several essential books on privacy. Twice he has been asked to write the definition of privacy for the World Book Encyclopedia.

First thing to do following a data breach, which should have been done before the breach occurs, is...

Research your state's law on whom to notify in case of a breach (sometimes the data subjects, sometimes a government agency), see whether your breach fits the type covered by the law; then check the 4-5 federal laws requiring notification in the event of CERTAIN breaches.

Eran Sinai


Eran Sinai is the CEO of ID Theft Recovery and has more than 15 years of experience in the credit recovery and ID protection industry. He is Member of the Identity Management Institute, Center for Identity Governance. Eran hosts a weekly radio show on 1170 AM Radio KCBQ where he covers ID theft and other relevant issues for consumers. He is a ID theft protection subject matter expert on San Diego-based Cox Channel 4, "The American Dream Team" and Tampa-based 1250 AM WHNZ and 98.7 FM WHFZ.

A data breach can happen to both companies and individuals. Here are a few steps you should take when becoming a victim of a data breach:

1. Contact the "breach" company: That means contact the company whose data was breached. Find out the extent of the damage. What are they going to do, and if they have any instructions of what to do next. Find out from the company what information was stolen. Even if they tell you that your stolen information was encrypted. Don't trust it! The thieves probably have your information already, so go on to the next point.

2. Change all of your passwords. Don't make it easy. Don't use common names like your name, kids, etc. Add symbols, asterisks and make it hard to guess. Don't keep a copy on your computer. Keep a list of your passwords in as safe place. Use different passwords for different accounts!

3. Call the credit bureaus and do advise them you have been a victim of identity theft and they will place a fraud alert on your file.

4. Call your banks and credit cards companies: Doing so will lock your accounts and prevent further transactions. Notifying them immediately will in most cases release you from the liability for these charges. Do so immediately--a few minutes can cause thousands of dollars in damages.

5. Most of the places will encourage you to get a police report. I would wait - the reason being is every single event and the extent of the damages should be included in the police report.

6. Same applies for filing an FTC report.

7. Document everything you do and everyone you talk to.

8. Get a copy of your credit report to see if something unusual is on your credit and include that in your police report and FTC report.

9. Consider subscribing to an ID Theft Recovery program sooner rather than later.

Unfortunately, you cannot prevent identity theft. You may only be able to protect yourself, and even then you may be in for some surprises with the terms and conditions language with many of the big companies. They have experience alerting you, but not hands on experience recovering your identity. Ideally you should get proper identity theft coverage for the right price that gives you exactly the recovery protection you need at a price you can afford.

Arnie Bellini


Arnie Bellini is the CEO of Connectwise, a leading business management platform.

Dealing with a data breach is a stressful experience. Should a data breach occur in your small business or major corporation, understand that the issue is serious, but it can be dealt with. There isn't a most important next step when a data breach occurs. All of the steps a business takes after a data breach are important in resolving the issue and maintaining your company's private information:

First, uncover the cause of the breach. Most often the breach is caused by a hacking, but sometimes involves a negligent employee. Find the source of the problem before you take steps to attack it.

Then, gather a team to respond to the issue. Whether you handle your IT within your company or you outsource it, it is important to let the department know about the breach. They'll be able to put an action plan in place to resolve the issue.

Once you've established a process, it's important to begin notifying your employees and your customers of the breach. Problems such as these are best presented upfront and honestly. Keep everyone abreast to updates, and inform them of the steps being taken by the company and the IT team to resolve the issue.

Respond to customer and employee issues. Your employees or customers will respond with questions about the breach. Be prepared with responses. These can come in the form of phone calls, e-mails, even press releases. By responding to your customers in an honest and timely fashion, you'll maintain a good relationship with them, as well as their business.

Get back to business as usual. Your IT team is working tirelessly to resolve this issue, as well as taking preventative measures to stop a data breach from happening again.

Nasir N. Pasha


Nasir N. Pasha is Managing Attorney of Pasha Law PC, a national business law firm that represents small and medium size businesses in California, New York, and Texas in all legal areas associated with their day to day operations, i.e. employment law, intellectual property, corporate governance, and complex legal transactions.

The most important next step you should take following a data breach is...


Most states have their own specific laws that deal with security breaches. Each have their own notification requirements that may be required. For example, in California (where the first of its kind was effective in 2003), a business must notify each resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. There is no national standard as of yet, though there have been past attempts to do so.

Security / Privacy

Making sure your employees and contractors have the appropriate confidentiality and nondisclosure agreements in place are essential to preventing liability in the event of a data breach that may have been intentionally caused by one of these parties. Second, having a privacy policy that is developed and followed is also important. Some states require privacy policies (such as California) where in any case, the privacy policy must be followed.

Scott Dujmovich


Scott Dujmovich is an IT Executive & Solutions Consultant at Golden Tech, an IT Solutions company that provides relentless tech support, consulting, and procurement services to Northern Indiana, Chicago, and Southern Florida. The firm has been a leader in providing managed IT solutions and data security for over 17 years.

From an IT security standpoint, in the event of a data breach, the first step to take whether it was an intentional or unintentional data breach is...

Containment of the situation.

It could be something as simple as educating an employee who accidentally sent out sensitive data, or in the case of a large scale "hacked" big data security breach, containment of the compromised system or application that may be responsible for the breach is most important. Responding to a large scale data breach by having the proper systems in place will allow you to perform forensics, which is the best environment for containment.

How can your company lay out a procedure that will contain a data breach? My suggestion would be to have a Security Information and Events Management (SIEM) solution in place that gives an IT professional the ability to track down exactly what happened. Data breaches are not to be taken lightly because it's not a matter of "if" you will get breached, it is a matter of "when" it will happen. You need to be thinking about your security procedure and making sure you have the ability to respond quickly to the situation in order to minimize your losses.

Jibey Asthappan

Jibey Asthappan is a Professor and the Head of the National Security Program in the Henry C. Lee College of Criminal Justice and Forensic Sciences at the University of Haven.

When it comes to the most important next step you should take following a data breach, here is my advice...

As the firm: First of all, you should congratulate yourself for identifying the data breach. The question that no one wants to ask is how many unknown data breaches have already occurred. The most important next step is developing a single voice message about the breach for potential victims, employees, and the media. A firm's best chance of survival after a breach is to limit rumors and enhance trust. Becoming a leader in network security will keep your customers coming after the breach and may even earn you some new business.

When developing the message, follow a tried and true format:

  • First, apologize to the customers and offer help to assist them should they become affected as a result of the breach.
  • Second, create a single key message; stating this at the start ensures that even those that lose interest in the message as it progresses will know the key message. State three supporting statements or pieces of information that support the key message. Do not exceed three since average Americans seem to have difficulty managing more than three new pieces of information within a short session.
  • Then, restate the key message; repetition is important to reduce the potential for rumors.
  • Finally, state future action to prevent such a breach in the future. Be sure to address rumors that develop as soon a possible. Rumors are best addressed within 45 minutes of when they develop.

Download the Incident Responder's Field Guide

Darren Guccione


Darren Guccione is the CEO and Co-Founder of Keeper Security, a privately-held company that is based in Chicago, Illinois with engineering offices in Folsom, California. Keeper is the world's most secure digital vault for managing passwords, private files and information on mobile devices and computers - a secure, simple way to store and access your passwords and private information - anywhere, anytime.

The most important step you must take following a data breach if you are an individual is...

Change your password.

Immediately, change your password on the affected site / service. If the hack encompasses numerous sites, be sure to change all of those passwords. This process becomes a lot easier if you are using effective password management.

Andrea Eldridge


Andrea Eldridge is CEO and Co-Founder of Nerds On Call, an on-site computer and laptop repair service company for consumers and businesses. Andrea is the writer of two weekly columns: Computer Nerds On Call, a nationally syndicated column for Scripps-Howard News Service, and Nerd Chick Adventures in The Record Searchlight. She regularly appears on ABC, CBS, FOX, NBC, The CW, and CNN on shows such as Good Day Sacramento, Good Morning Arizona, and Good Day Portland, offering viewers easy tips on technology, Internet lifestyle, and gadgets.

The most important first step to take after a data breach...

Reset and Choose a robust password: 7-10 digits in length, with a mix of numbers, symbols, upper-case and lower-case letters.

Be sure to change passwords on any other accounts that may have been compromised (like your email, website, wordpress, etc). It's particularly risky to use the same password across multiple accounts. For example, if your Facebook password is compromised, the hacker would be able to take control of your linked email account if you use the same password for both accounts. This would allow him or her to find other logins that you have tied to that email, submit "forgot my password" reset requests and gain access to other your accounts like banking, shopping, etc.

Consider using a password management service like LastPass (, free for basic) that will create unique passwords for all your accounts and control your logins so you never have to type your username or password into a site again.

Alternatively, you could use my password trick of pass phrase + number + website identifier to get a difficult to guess password that is unique to each site.

Also, enable multi-factor authentication wherever possible. While it can take an extra minute or two to login from a new computer (a code is sent to an established contact such as your primary email account or cell phone and you need to enter that code to login from an "unknown" device), it means that you'll get notified if someone tries to access your account and you can take steps to protect it (change the password, notify the website, etc).

Reg Harnish


Reg Harnish (CISM, CISSP, CISA, ITIL) is an Entrepreneur, Speaker, Security Specialist and the Founder of GreyCastle Security, located in Troy, NY. With nearly 15 years of security experience in Financial Services, Healthcare, Higher Education and other industries, Reg focuses on security solutions ranging from risk management, incident handling and regulatory compliance to network, application and physical security. Reg is a frequent speaker and has presented at prominent events, including the NYS Cyber Security Conference, the Rochester Security Summit, the New York Bankers Association and Symantec Vision. Reg's successes have been featured in several leading industry journals, including Software Magazine, ComputerWorld and InfoWorld.

The minutes, hours and days after a data breach can be exciting, frustrating, emotional and confusing. Responding to a security incident is dynamic, organic and fluid. All incidents look similar in ways and completely unique in others. It is in these times that we tend to learn tough lessons about cybersecurity, and hindsight becomes laser sharp. So you've been hacked, now what?

There is no silver bullet in Incident Response, but having an effective Incident Response Plan can be a great equalizer. A plan helps ensure that response is consistent, predictable and measurable. Having a plan is like having a map on a deserted island - you may be stranded for a while, but at least you can find the water.

There are important decisions to be made, but none is more important than deciding on whether or not litigation is possible. This one decision can generate vastly different response results.

Lastly, you should be prepared to decide "how much is enough?" I've seen organizations chase cyberghosts simply for the purpose of feeling better.

Containing the incident, communicating effectively with vested parties and learning from mistakes are all important next steps once an incident has been identified. Lastly, identifying the impact of compromised assets is critical.

By now you've figured out that this is a trick question - there is no one most important step. Incident Response can be complicated, tricky and riddled with puzzles. But if nothing else it is a process full of most important next steps.

After all, effective response to a data breach can mean the difference between minimized impact and closing your doors for good.

Johnny Lee


Johnny Lee is the Managing Director, Forensic, Investigative & Dispute Services of Grant Thornton LLP. He is a management and litigation consultant and attorney, specializing in data analytics, computer forensics, and electronic discovery in support of investigations and litigation. Johnny is also a frequent speaker, panelist, and contributor on issues involving eDiscovery, Records and Information Management, Data Analysis, Business Intelligence, and the effective use (and risk management) of Information Technology. Learn more about Johnny and his work at

From my perspective, the most useful first step after a data breach would be to...

Follow, turn-by-turn, the organization's incident response plan. This, of course, presupposes that such a plan is both extant and well done.

If such a plan does not exist, has not been tested, and/or is not well crafted, then I would say the first step is quite different. For me, the most important first step would be to engage qualified outside counsel to guide the response efforts.

The reason for this is that, at least in most cases within the United States, it is possible to protect the actions and communications of a breach response with the attorney-client privilege (and its related work product doctrine). This protection is important because it allows for the free flow of information between an attorney and his or her client, allowing for the fastest response possible while exploring all of the specific obligations that flow from the findings of same.

Additionally, an attorney that specializes in this arena will have a command of the many and varied disclosure obligations accruing to the company -- at the state, federal, and country level. This jurisdictional analysis is not something counsel wants to undertake in the midst of a breach response; it should be something in which counsel is well versed before that trigger occurs.

Engin Kirda


Engin Kirda is Co-Founder and Chief Architect at Lastline, a software platform for advanced malware protection, and a Professor of Computer Science at Northeastern University.

I think the most important step to take after a data breach is to...

Understand what has been leaked and how the attack took place.

In order to do this, you must be able to actually detect the attack and resulting data breach. Otherwise it can be very difficult to determine what has leaked how, making it even more difficult to know what to do next. Once you know what was leaked and how the attack took place, you can start to take measures to limit further damage, notify affected third parties if applicable and prevent it from happening again.

Michael Fimin


Michael Fimin is an accomplished expert in information security and the CEO and Co-Founder of Netwrix, the #1 provider of change and configuration auditing solutions. Netwrix delivers complete visibility into who did what, when and where across the entire IT infrastructure.

It might sound obvious but to be better prepared against data leaks you need to ensure that the security policy components are working properly and protect sensitive systems data. What is not so obvious: what should be done in case a data breach occurs? What is the immediate step that will help to minimize the devastating consequences? Addressing the issue, first thing you need to do is...

Ensure that your systems are out of danger.

It is vital to identify the compromised system in the shortest possible time and fix the data leak to prevent future attacks. For instant troubleshooting, you might need to enable auditing solution that will provide before and after values on who changed what, when and where across the entire IT infrastructure, thus simplifying root-cause analysis.

Another thing to remember - document everything you meet on your way. Creating disk images and detailed reports will help you during further investigation and help avoid the issue in future. ​

Alan Baker

Alan Baker is the Owner, President and Chief Consultant of Spitfire Innovations, a boutique consulting firm based in Toronto, Canada that helps organizations envision, prepare for and implement change. Prior to his current leadership role, Alan was an IT AVP at a medium size life insurance company where part of his portfolio was IT security and he has responsible for the creation and maintenance of the organization's security program.

Following a data breach, there's really only two options:

You either implement your data breach response plan, or you resign, because if you don't have a predefined plan you are doomed.

Implementing a data breach response plan can be a significant (and expensive) undertaking. It's complex; it is absolutely not something that can be done by the seat of your pants.

What does a data breach response plan look like? Actually, to call it a plan is probably a misnomer; it's really more of a template that allows you to quickly develop a customized response plan that is based on the specifics of the actual breach. The key to crafting this plan is to have a cross-functional team defined and ready to spring into action at a moment's notice. In addition to a team lead, it should include representatives from the organization's executive, IT, Legal, Risk, Privacy, PR/Marketing and Customer Service, as well as any third parties that may be required. And they need to be trained; to maximize their effectiveness they should have had the necessary education and training, and a number of dry runs through a series of different scenarios.

It's important to remember that this is really an exercise in crisis management. Studies show that organizations can avoid longer term impact as long as the perception held by their customers (and shareholders) was that the issue was properly managed. Handle the crisis poorly and the recovery will likely take longer (or not happen at all).

One more thing to remember. The data breach response plan is a living document. As individuals change roles and as the organization evolves (mergers, acquisitions, divestitures etc.) the plan needs to change as well.

Greg Kelley

Greg Kelley is the CTO for Vestige, Ltd., a company that performs computer forensic services and data breach response for organizations.

Once a data breach has occurred, the most important step is to...

Put in place and follow your data breach plan.

Typically, the first step in that plan would be to contact the response team and have them respond accordingly. Responding to a data breach properly involves a careful dynamic of stopping the data leakage, removing the hacker, patching the affected systems and, sometimes more importantly, preserving the evidence of the breach.

Determining whether a company needs to go public or notify customers regarding a breach is dependent on the analysis and how much data was breached. Without proper preservation of the evidence a company may notify too many people (at an increased cost), make public an incident which didn't need to go public, or not be able to show the authorities that they have properly investigated the breach for notification purposes.

Fred Menge

Fred Menge is an Information Security Expert and Owner of Magnir, a leading information management firm and a respected provider of records management, digital forensics, electronic discovery and litigation hold services. Fred formed Magnir Group in 2006 after serving in a variety of technical and managerial positions in industries including energy, government travel and technology. He is a member of the Association of Records Management and Administration, a member with the Northeast Oklahoma Information Systems Audit and Control Association and an adjunct faculty member with Oklahoma State University.

From a security perspective, the most important step when discovering a data security breach is...

To not over-react or make irrational decisions in recovering from the breach.

There are a few key steps (in order of importance) that the company should take:

  • Investigate the incident. Gathering information on the incident is important in validating that an incident has occurred (i.e., who, what, where, and when the incident occurred)
  • If the breach is valid, inform management with a summary of the incident
  • Identify the suspected cause of the incident. For example, was the breach caused by a firewall with an open port, malware on the system, successful email phishing attack, outdated antivirus software, or an employee that unknowingly divulged confidential data?
  • Isolate the effected system and eradicate the cause of the breach
  • Implement policy, procedures, and technology if necessary, to prevent a recurrence
  • Perform period technology audit or risk assessments combined with network penetration testing to identify weaknesses in the system.

It is not recommended that the organization notify law enforcement or the local news organizations especially since doing so may provide key information to other hackers wanting to exploit weaknesses in the breached system.

Given the recent number of computer incidents, a company should develop a Computer Incident Response Plan (CIRP) and test it thoroughly and frequently. A CIRP is a pro-active, rather than reactive, step in identifying and isolating a security breach.

Adam Roth


Adam Roth is the Security Expert at Dynamic Solutions International, a leading international provider of data storage solutions and comprehensive professional services for mid to large sized organizations. With more than 39 years of expertise and significant engineering resources, DSI is committed to expanding its family of solutions to provide the industry's most complete solution for protecting critical enterprise data and preserving our customers' technology investments.

The most important steps to take after a data breach are...

Mitigate, investigate, and prevent.

  • Handle a data breach like a bite from a venomous snake, the clock is ticking and first you must stop the bleeding and prevent the venom from spreading. Once we realize there has been a breach we must determine how best to stop it, eliminating the threat is priority 1 and could mean taking computers or server's offline. The quicker you can detect and respond to a breach the less likely it will have spiraled out of control.
  • An Incident response plan needs to be designed around Mitigating, investigating, and preventing threats. Make sure you understand how your company will function without critical pieces of the network. After we have contained the threat, you will need to hire a forensic team if they are not on staff, to determine point of entry, indicators of compromise, and how far this attack has gone while on your network.
  • Finally, after we understand the attack we need to prevent reoccurrence, often times this is adding policies and procedures along with updating technology. During this phase, I strongly encourage sharing non-sensitive information about the breach with the community, industry, and any officials that would benefit because it will allow us to develop the best rules, policies, and detection mechanisms to benefit everyone.

These 3 simple procedures will likely fail unless you have a strong plan in place, so if you don't have a plan, start the discussion and don't put it off until a later time.

Determining who will be in charge when a data breach occurs is critical; this must be understood before a breach happens. Bring on professionals to help strategize and identify weakness, like professional Penetration Testing companies, Managed Security Services, and people that will be your incident response team when a data breach occurs.

Matt Malone


Matt Malone is the Co-Founder and CTO of Assero Security and has over 15 years of proven experience within the information security realm. Mr. Malone consults with the FBI and NYPD Cyber Crimes Division on security threats and attacks, assisting with investigation, documentation and pursuit of offenders. Additionally, Mr. Malone is a sought-after speaker and writer who has published and been featured in national publications such as Wired and CIO Magazine, as well as appeared in several newscasts.

The immediate response to a data breach is...

To focus solely on the technical, sending in system engineering teams to explain how the breach happen and assure management that it is fixed. That is not the only risk to the organization.

Defend against the hackers, Fear the media and litigators.

System and network engineers are excellent technical problem solvers but when an information security breach happens there is more to it than meets the technical eye. Root cause analysis, evidence collection, chain of custody, breach notification and disclosure law, these are terms not used in many CCIE or MCSE circles. When a breach occurs there is much more at stake than just getting the system stored. There may be legal liabilities, damage to the brand and reporting requirements, just to name a few. How the incident is handled can mean the difference between minimal damage and devastation. It is important to plan ahead on the steps and process to handle security incidents correctly.

As the handling of a security incident is more than a technical issue it needs to involve more than technical resources. Senior Management is required to make decision that can affect the company; Experts with experience in Forensic Investigation, Public Relations and Media handling, Legal issues, and through the chaos ensure appropriate and timely responses to affected customers.

Organizations that are not prepared hurt and damage the company far greater by unorganized or panic responses. Knowledge and experience is imperative when dealing with Security Breaches.

Key Elements for Success:

  • Establish a crisis management point of contact
  • Incident response: the company's incident response plan is initiated once the event is identified and a team is created to coordinate the plan.
  • Internal investigation: begin an investigation immediately.
  • Third-party Expertise:
    • Public relations and communication: Creates strategy and communication to media
    • Forensic investigator: forensic investigation: outside investigators should conduct a forensic investigation.
    • Legal counsel
  • Contact law enforcement: as soon as the third-party investigation begins.
  • Customer notification: immediately after the forensic teams confirm whether or not confidential customer information has been stolen, the company should inform their clients of what happened.
  • Containment and remediation plan: a plan to repair the issue and prepare for media and legal scrutiny should be quickly developed and implemented.

Jason Nielsen


Jason Nielsen is the Senior Vice President of Operations for Proxibid, the world's most trusted online Marketplace for buying and selling highly valued items. Prior to joining Proxibid, Jason served as Vice President of Worldwide Operations at Paypal, where he created fraud models and became an expert in new-market risk practices. Jason has a wealth of experience when it comes to fraud prevention - even consulting with companies like Facebook.

When it comes to the most important steps companies should take following a data breach, my advice is as follows:

  • Stay calm
  • Record the time, date, and who and how the breach was discovered
  • If you have not established a plan for a breach already, determine the Lead manager of the response team. Recommend someone from the privacy or legal team
  • Alert if establish response team or Put together with key employees
  • Protect the area where the breach happening for evidence reasons
  • Make sure that any machines effected are removed from the system
  • Interview anyone involved and document every step of the way
  • Get a forensics team on the case
  • Work with legal counsel to decide if law enforcement should be notified

Ashish Mohindroo


Ashish Mohindroo is the VP of Product Management with Bertram Capital. Ashish has an extensive background in cloud computing, middleware, and security and can offer some significant insights into how to respond/react to a data breach. He is currently working on BitCan, which is a user-friendly, cloud-based database backup solution that can definitely help in certain data breach situations.

When a breach happens, follow this five-step procedure:

Step one: Identify the source of the breach and contain the damage. This is the province of your IT department and/or an outside data-security specialist.

Step two: Contact your legal representative to ensure your response meets all legal requirements. You want to avoid being personally liable for damage resulting from a data breach at your organization. Your response may include internal investigation, contacting law enforcement, complying with mediation and notification requirements, and planning a public-relations strategy.

Know the law in your state and in the states your customers reside in. There is no federal data-breach notification statute. Forty-seven states and the District of Columbia require organizations to notify customers and clients when their personal information has been stolen. Publicly traded companies are subject to SEC reporting guidelines about data theft and other crimes. If companies fail to protect customer data appropriately, they may be subject to Federal Trade Commission scrutiny for violating their own privacy policies.

Step three: Notify. Some states require written notification of data breaches, and most call for identification of the specific information that was exposed in the breach. Note that California's breach-notification statute was recently expanded to broaden the definition of personally identifiable information. Particularly thorny for tech startups are the notification statute's "reasonable belief" and "unreasonable delay" requirements. The uncertainty about what constitutes a failure to inform has the potential of increasing liability for companies hit by a data breach.

Your notification and all other communications with the public about the breach should emphasize the company's willingness to make things right and to prevent future breaches. Take ownership of the problem, but include only the information required by law. Be sure to keep the notification short and simple.

Step four: Check your insurance coverage. Your company's comprehensive general liability (CGL) policy may cover invasion of privacy claims related to the breach, absent an explicit exclusion for threats like phishing attacks and cyber-attacks and resulting data breaches. However, the trend is toward purchasing cyber insurance as a separate policy.

Step five: Do a post-mortem. Last but not least, reexamine your security measures to determine what action you can take to prevent being damaged by a similar attack in the future.

Lee McKnight


Lee McKnight is Kauffman Professor of Entrepreneurship and Innovation and an Associate Professor at the The School of Information Studies (iSchool) at Syracuse University. McKnight's research interests include the role of information and communication technology in shaping global political and market virtual environments.

The most important step to take after a data breach is...

First, get professional (forensic and legal) help to begin to discover the scope and implications of the breach.

Second, determine if the firm should alert law enforcement of a confirmed breach.

Third, if the breach impacts on third party firms, personally identifiable information, and/or financial accounts are found to either be affected by the breach, then plans to engage, inform, and/or mitigate must be developed and disseminated quickly.

Last but not least, if the breach does indeed have potential to be a public relations/brand-damaging disaster, even if breach is limited in scope and affect on the firms, customers,and suppliers, then a proactive crisis communications strategy and management effort must be part of the effort, with CEO-level attention required to ensure that the firm appears to be taking breach seriously, even if in fact it was not particularly damaging to the firm or its clients and partners.

Anne P. Mitchell


Anne P. Mitchell is an Attorney and the CEO and President of the Institute for Social Internet Public Policy. She is also a member of the California Bar Cyberspace Law Committee, and Author of Section 6 of the Federal CAN-SPAM Act of 2003, and a returning Professor of Law at the Lincoln Law School of San Jose.

Absolutely, the most important next step you should take following a data breach is...

Communicating with your customers (or other population whose data is breached).

You should already have a message crafted that says what you need to say and also doesn't say what you shouldn't say; ready to go ahead of time rather than when you are in reaction mode.

This is a case of 'damage control starts before the damage happens.'

Edsard Ravelli


Edsard Ravelli is a Telecommunications & Cybersecurity Engineer and the founder of several tech companies. His latest project is an artificial-intelligence security system called Veiltower, which is designed to provide maximum security for users' sensitive personal data. He has built this product and several other data protection systems from the ground up.

The most important step to take after a data breach is...

First and foremost, find out how the breach happened, if you can.

This gives you an idea of how compromised you might be. The next most important step is to get on a system that you are certain was not compromised during the breach. If you're part of a company, ask your IT admin for help. If you don't have one, seek out the nerdiest person you know. They like helping in these types of circumstances.

Once you're on a system that was not compromised, log in and change all the passwords of all your accounts, starting with the most important. Remember, hackers typically leave a Trojan horse behind. This means that if you change any passwords on a compromised system, they can tell right away. Anything you do on a breached system is like typing on a screen that's being recorded by the hacker. Scary stuff! Inform any important vendors and contacts that you believe you might be the victim of a data breach. Do this from a new email account and make it clear that your previous account might be held by a bad guy. Admitting to being hacked sucks, but it's better than having one of your contacts get hacked by someone pretending to be you!

Immediately change your financial account access and replace your credit and debit cards. After all that–get a prevention system in place to make sure this never happens again! Get yourself a good password storage account. I recommend Keeper Security. With tools like these you can easily log in, but with different passwords. Hackers know we all have one or two passwords that we regularly use, and they've developed software that immediately logs in on various accounts once a password has been identified. So by using an outside app of sorts, your exposure is only limited to one account instead of all your accounts.

Bill Rosenthal


Bill Rosenthal is the CEO of Communispond, a business consultancy helps businesses and individuals to achieve business goals by communicating with clarity and power. He writes thought leader articles on effective communicating for Harvard Business Review, Forbes and Chief Executive magazine.

When it comes to the important steps to take after a data breach, this is my advice...

Announce the breach quickly. You owe it to the people affected. You'll get points for promptness -- and brickbats for delays. Explain the scope of the problem. Don't try to minimize it because you'll lose credibility if you have to amend your statement later.

The apology should come from senior management. Speak directly. Don't waffle. Elton John sang, "Sorry seems to be the hardest word." Bite the bullet.

Be ready to answer tough questions. Anticipate the questions that will be asked and prepare concise, persuasive answers to them. Rehearse them so you can answer them without a script and without sounding like you're on autopilot. On television or before a live audience, don't repeat a hostile question; rephrase it in neutral language and then answer. When talking to an individual, look at that person in the eye as you answer. The question may be asked disrespectfully; don't lose your equanimity.

Express your personal remorse. But don't make it sound like you're suffering more than the people who were affected.

Follow up with a clear description of what's being done to prevent recurrence of the problem.

J. Wylie Donald


J. Wylie Donald is an Insurance Coverage Expert and Partner at McCarter & English, where he represents commercial policyholders nationwide in disputes with carriers and is a member of the firm's Cybersecurity & Data Privacy Task Force. He frequently blogs, writes treatises and speaks on insurance coverage related to the major business and societal issues of our time: cybersecurity and data breach, Ebola, other viruses and pathogens, and similar.

Some of the obvious things that a company's risk manager must do immediately when a data breach occurs is...

Summon the forensics expert, direct the IT team to pivot all systems to secure mode, and ensconce the public relations team at company headquarters.

Less obvious, but just as important, is handling the insurance coverage layer, which can pay for all of the above, plus notice letters to compromised customers, fines levied by the FTC and lawyers to defend the identity-theft claims that have flooded in.

With cybersecurity insurance coverage - as with many other reactions to a breach - much of successfully addressing the breach depends on preparation; it's what you do beforehand that sets the table for a successful claim and recompense, or uncompensated, heavy financial losses.

Insurance companies have long taken the positions that a loss of personally identifiable information does not constitute property damage under liability policies. Nor, carriers argue, is there physical damage under a property policy. Further, there is likely to be an express exclusion tacked on for cyber risks. So relying on your general liability and property policies without evaluating cyber risks and existing coverage, and considering modifications, is foolish.

Consider whether your main concerns are identity theft, loss of trade secrets, breach of confidentiality agreements, or some combination thereof. Then perform a cost-benefit analysis of how likely those losses are and what they will cost you. Then negotiate appropriate cyber coverage and be acutely aware what is covered in your policy, in your cloud provider's policy and your counterparties' policies. When the time comes and the breach occurs, immediate notification of your carrier and insurance broker is essential. Then, in conjunction with your broker and in-house and outside attorneys, ride herd on the carrier to make sure it provides what it bargained for.

Jon Schildt


Jon Schildt is the Managing Principal of Calculated Risk Advisors, a boutique risk management and insurance brokerage firm. He has an MBA from the University of Chicago Booth School of Business and over 12 years helping clients understand their risk transfer options.

The most important next step a company can take after it experiences a data breach builds on activities the company does before that breach occurs...

Simply put, the best next step is to call in your team of network security experts to assess the breach.

The activity the company does before that is to assemble that team. Most companies do not have the resources or time to assemble the team before a breach occurs.

This is where Cyber Liability Insurance (also known as Network Security Insurance) comes in. With a single call to the insurance company after breach, a company will be provided a forensic IT expert to assess the breadth of the breach and locate the weakness which allowed it to happen. The company will have access to a local attorney who will walk them through the legal ramification of losing client data - including the necessary reporting procedures.

The insurance company will also provide monies to keep the company's clients happy if the breach impacts them as well. Experiencing a data breach has many legal, personal and business implications. Having a team of experts to help navigate this time is key to a proper response. Having insurance to pay for and coordinate the response is vital for many corporations who don't have the time, energy or funds to devote to it.

Download the Incident Responder's Field Guide

Tags:  Data Protection

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.