Magazine article Risk Management

Preventing and Reacting to a Data Breach

Magazine article Risk Management

Preventing and Reacting to a Data Breach

Article excerpt

Breach incidents have generated staggering costs to businesses in all industries. Nevertheless, a recent survey of IT practitioners revealed that nearly three-quarters do not believe their company views data security as a top strategic initiative, and a clear majority do not believe their organizations are proactive in managing privacy and data protection risks. Even among companies that have devoted significant resources to data security, breaches continue to occur. What is a business to do?


1. Assemble a data security team and assess the data. The data security team typically includes IT. legal, administrative and operations personnel and should at least have access to, and the support of. senior management. Their first job is to assess the scope of personal data maintained by the company, how the data is collected, used and transmitted, and the threats to the company's data security.

2. Develop policies and procedures. Most companies have privacy and security procedures in place. These existing policies and procedures are often disjointed, even contradictory, throughout different departments and lines of business. The data security team must fill any gaps in existing policies, eliminate redundancies and resolve inconsistencies.

3. Train, test, update and monitor. The best policies and procedures are worthless if the appropriate personnel are not trained to comply with them. A prevention program must also include routine, periodic testing of people and systems, built-in requirements for updating in the face of evolving security threats, and monitoring for compliance because the best policies will protect no one if they are just sitting on a shelf.

4. Control hardware and software. Laptops, PDAs and other mobile devices present additional challenges in the world of data security. For example, if your employees use their own equipment, how can you know that the equipment complies with your company's security requirements? A data breach prevention program must assess and control exposures related to the hardware and software used by all company personnel.

5. Mitigate risk. As the costs of data breaches escalate, data security programs should include an analysis of existing and available insurance coverages. Consider that while insurance may cover expenses for legally required steps, the company may decide to notify customers and provide credit monitoring services, even where not legally compelled to do so. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.