Best Practices: Mitigating a Data Breach
This is part two of a three part series from Brandie N. Weddle and Laura J. Butte of Arnold & Porter LLP on the prevention, mitigation and response to a data breach.
There is some overlap between mitigation and prevention, but mitigation is important enough to warrant its own category. On a regular basis, businesses should conduct a risk assessment of its data protection policy to ensure that only a minimum amount of data is lost in a breach and that the data lost is of little or no value to the data thief. An effective risk assessment is predicated upon a business’ understanding of how data moves through its system and knowledge of the vulnerabilities at every juncture. At a minimum, the risk assessment should include the following questions:
- Can we reduce the amount of data collected?
- Have we appropriately compartmentalized and limited access to a need to know basis?
- Are the security measures for protecting data in line with the risk of a breach?
- Can we reduce the number of devices on which data is stored and accessed (e.g., disk drives, thumb drives, servers)?
- Are the disposal procedures for obsolete data appropriate for the types of data that is collected (are paper records unreadable when disposed; hard drives erased rather than merely the information on the drives deleted)?
- Is our insurance coverage in line with the risks of a data breach?
- Have all personnel been trained and received updated training on our data protection policy?
To the extent possible, data should be inventoried and segmented so that in the event of a breach sensitive data is not fully exposed. That is, social security numbers, names, and addresses should not be maintained in the same central location.
Business should mandate and test the security practices of third party vendors and consultants to ensure they adopt and abide by equally-stringent confidentiality and security standards.
For businesses with a significant level of risk, consider adopting an intrusion detection system or software that will monitor the network for signs of a hack (e.g., new users, multiple logins from unknown computers, high traffic at unusual times) or for signs of a breach (e.g., large amounts of data being transmitted from the network).
Finally, a system with the best prevention and mitigation policies is of no use if these policies are not a part of the company culture and are not being followed by all the links in the chain. To that end, businesses should test the adopted controls and ensure that they are being consistently applied.