The costs associated with a data security breach can be substantial. In addition to addressing the security issue that gave rise to the breach, companies often must assess notice obligations under federal and state law, manage public relations challenges, and work to rebuild consumer trust. The costs–in terms of time and resources–needed to accomplish these tasks can easily reach into the millions of dollars. Considering potential additional losses of business and customer goodwill, the overall effect of a breach can be devastating.
Fortunately, recent studies have shown that companies can significantly mitigate the costs of a breach by putting in place strong incident response procedures. For instance, the most recent Ponemon study on the costs of a breach reported that from 2010 to 2011, the average overall cost of a breach declined from $7.2 million to $5.5 million. The study states that “[t]his decline suggests that organizations represented in [the] study have improved their performance in both preparing for and responding to a data breach.”
The improvement identified in the Ponemon study aligns with our recent experience: more clients have come to us with questions about what they can do to prepare for and respond to breaches more effectively. Although every company–and every breach–is different, we think there are about ten basic elements that a company should consider when thinking about incident response. My colleague Steve Satterfield and I recently wrote about these elements in this article published in Corporate Counsel. Again, there is no one-size-fits-all approach to these issues, but we thought this article might provide a useful starting point for attorneys and other information security professionals as they consider implementing or strengthening their companies’ incident response procedures.