Making a broad-reaching plan for breach response
January 20, 2012
Any company that has a breach of its data - be it regarding cardholder information, employee details or other sensitive records - needs to act quickly to offset the impact and repair the damage. In order to have a fast response, it's a good idea to set up a business continuity strategy, Credit Union Info Security reports.
In an interview with the source, business continuity expert Ken Schroeder likens a breach to any other disaster and says it needs to be treated with the same importance as any other aspect of the strategy for minimizing operational disruptions.
"You don't have to have subject matter experts developing your response plans," Schroeder told the news outlet. "After a breach, you just need folks who can go in and review what happened."
He suggests adopting a holistic approach to breach responses, combining it with the rest of the company's business continuity planning. Not only will it cut down on the time and financial expense required to draft the strategy, it will also boost the amount of coverage for the company.
As the recent data breach at ecommerce company Zappos underscores, having a balanced plan is vital. Network World reports that the company "has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email."
The source notes that some critics are calling the response an overkill, and one that will likely cause panic, yet others say Zappos did the right thing in immediately alerting the 24 million clients potentially affected. Regardless of whether its move was the best one, it's almost certain that the breach will cost Zappos a lot of money.
Network World estimates that Zappos could end up paying $5 billion, based on research from the Ponemon Institute that averaged the cost of a data breach at $214 per record. Skeptics say that estimate is too high.
Todd Thiemann, senior director of marketing at Vormetric and a Zappos customer, said the company should have taken better steps to secure and encrypt the sensitive information.
"The definition of what is sensitive is changing," Thiemann told the news outlet. "It's not just card numbers anymore, it could be the shipping address, too."
