There are few threats that can wreak havoc on an organization like a data breach. From making headlines news to time-consuming data breach response, organizations of all sizes—and the law firms representing them—must have data breach response plans in place to safeguard against financial and reputation loss in the event of an incident.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, published in February, 2024, aims to help all organizations manage and reduce risks. The framework empowers organizations to understand, assess, prioritize, and communication about cybersecurity risks and data breach response effectively. It sets forth five key steps: identify, protect, detect, respond, and recover.
NIST CSF Framework 2.0
This blog takes a brief look at each stage in the framework, with a focus on how to prevent data breaches, best-practices data breach response, and data breach response planning.
How to prevent data breaches
An ounce of prevention is the best policy for preventing data breaches, and NIST’s first three stages, identify, protect, and detect, help organizations do just that.
- Govern: This stage addresses the establishment of cybersecurity strategy and supply chain risk management; roles and responsibilities; and cybersecurity strategy oversight.
- Identify: Identification and understanding of the current data breach risks faced by an organization is at the core of the framework, and involves a review of assets (data, hardware, software, technology infrastructure, facilities), forming the basis for effective risk management.
- Protect: Once assets subject to risk are identified and prioritized, protection is needed to secure those assets through identity management, authentication, and access control; awareness and training; data and platform security; and infrastructure security.
- Detect: This stage enables the timely discovery and analysis of adverse events that may indicate cybersecurity attacks and data breaches are occurring. This stage supports data breach response and recovery activities.
When a data breach occurs, NIST offers guidance on data breach response.
Key steps in data breach response
NIST covers the following two phases in organizations that have experienced an incident:
- Respond: In this phase, organizations contain the impact of the incident. In this phase, it’s critical to get the right people in the right seats as quickly as possible—from understanding the scope of the breach to look at what the data universe is that is believed to be compromised, to understanding the legal framework(s), and complying with data breach response notification requirements.
- Recover: Following an incident, affected assets and operations are restored and recovered.
The Federal Trade Commission also offers step-by-step recommendations in it data breach response guide for business.
Creating a data breach response plan
While the NIST framework is useful, each organization has unique risks. By necessity, each organization will create (or revise) a formal data breach response plan that is customized to their specific risk appetites and tolerates, specific goals, and objectives to meet those goals.
Critical components to consider when creating or updating a data breach response plan include:
- Establishing (or revising) a data breach response plan: Organizations should proactively develop a comprehensive data breach response plan, which will make it easier to execute an orderly response if an incident occurs.
- Assembling a data breach response team: A team should include IT, operations, legal, and forensic investigators at a minimum, but often times records managers, corporate communications, investor relations, and other stakeholders will need to be included. Each person’s role and responsibility in data breach response should be documented.
- Auditing data retention policies: Data governance is at the core of a successful data breach response plan. Elements include effective data retention policies that are followed, enforced, and audited; the more data organizations retain (and data that is not defensibly deleted per retention schedules) can unnecessarily increase exposure and damage from a data breach.
- Remembering contractual obligations: Contractual notification obligations owed to employees, customers, partners, and other parties is often looked, but all notification requirements contained in these company contracts must be addressed as organizations assemble their notification lists.
- Testing the data breach response plan: The plan should be tested using tabletop exercises that investigate and consider an array of potentially relevant scenarios and assess the organization’s readiness to respond.
- Keeping up to date on regulatory requirements: Regulatory requirements change. For example, in 2023 the SEC adopted rules on cybersecurity risk management, strategy, governance, and data breach response, which requires public companies to disclose to the SEC any cybersecurity incident they determine to be material within four days.
While there’s never enough time when an incident occurs, organizations can take steps to prevent data breaches and effectively execute data breach response activities by adhering to the NIST CSF Framework 2.0 and creating customized data breach response plans that meet their specific needs.
UnitedLex can help organizations augment their data breach response plan by providing rapid insight into the potential severity, and quickly defining the extent of exposure and the obligations to the company, customers, employees, and third parties. Let’s talk.