Prepare for the Inevitable with a Data Breach Response Plan

A Q&A with cyber-risk management expert Jay Shelton

By Roy Maurer November 11, 2014
Jay Shelton, senior vice president of risk management services at insurance brokerage Assurance.​

Business functions increasingly rely on HR information systems and the Internet, heightening cyber-risks that can severely disrupt a company’s business, impact its reputation, and compromise sensitive customer data and intellectual property.

More than 78 million records were exposed in 644 data breaches this year through November 2014, according to the most recent report from the Identity Theft Resource Center.

And according to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million.

Risk management expert Jay Shelton, senior vice president of risk management services at insurance brokerage Assurance, headquartered in Schaumburg, Ill., spoke with SHRM Online about cybersecurity best practices, the importance of conducting a risk assessment and the elements of an effective incident response.

SHRM Online: What are some key cybersecurity best practices?

Shelton: Data privacy and security practices vary from industry to industry and from state to state, but certain best practices apply to all organizations. Assign one person to be responsible for data security with enough authority to get things done. Conduct a risk assessment to identify areas of vulnerability and improve your network security. Implement policies and procedures that limit access to sensitive data and record storage.

Consistent enforcement is the key to compliance. Review and improve your vendor contracts to make sure your service providers who have access to your confidential and personal information are required to protect your information, specifically if you’re using cloud-based storage. Implement a continuous employee awareness, education and training program on your data security policies and procedures. Prepare for a data breach by having an incident response plan reviewed and tested frequently to ensure the plan can be executed effectively and in a timely manner. Have cyber and privacy liability insurance coverage with appropriate limits of liability, so in the event of a data breach, you have a financial backstop to cover the losses that may occur as a result.

SHRM Online: What goes into an effective incident response plan?

Shelton: A comprehensive incident response plan should outline the steps to take if a data breach is suspected or occurs. A living document, which should be continuously updated as the business changes, must outline who and how the company will respond to a breach. The plan should be clear, succinct and organized, while containing the appropriate details for response. Every plan needs the roles and responsibilities of the incident response team outlined. This should include both internal and external team members, as well as their detailed contact information, along with their notification level. The various trigger notifications—of a response team, insurance carrier, law enforcement, outside forensic investigation, crisis and media management—need to be understood. Detailed response procedures should also address timing, affected individuals and government notification. They should address issuing a press release, internal communications, what’s posted on the website, and accompanying remedies such as credit monitoring and identity theft resolution. Mitigation and remediation measures should cover investigation outcomes to correct vulnerabilities, harden the system from further breaches, and review and improve the incident response.

SHRM Online: How can companies determine susceptibility to cyber-risk?

Shelton: Companies should start by understanding the type of information being collected and where it’s stored. The audit or risk assessment should focus on three key areas: administrative safeguards, physical safeguards and technical safeguards.

Administrative safeguards include assessing policies and procedures regarding limiting access to confidential, personal information for customers, employees or others so that the only employees who have access to this information are those who need it to perform their job duties. Also ensure vendors have appropriate safeguards in place to protect the data you send them.

Some key administrative policies should be a “clean-desk policy” that requires employees to properly secure records containing confidential, personal information and then conduct periodic audits to ensure the policy is followed, as well as a record retention policy that would help ensure your organization does not keep records for longer than necessary. Also, an acceptable-use policy should be in place outlining how your employees should use information.

Physical safeguards could include storing paper records containing confidential, personal information in locked file cabinets; shredding records that contain confidential, personal information; and storing servers, laptops, flash drives or other sensitive equipment in secure, locked areas.

Technical safeguards can include encrypting laptops, flash drives and data stored on servers. You should update system software regularly, particularly when a specific virus or malware breach is discovered and when installing and updating firewalls, antivirus software and anti-spyware software to ensure the most up-to-date protection is being used.

SHRM Online: What’s the threshold of risk for notifying the company’s leadership?

Shelton: Companies experience multiple network breaches daily without incident due to good network security practices. So should leadership be notified every time a network breach occurs? There’s not a standardized threshold in which company leadership should be notified of a cyberincident. It really depends on the size and scope of the breach whether there is an obligation to notify government agencies, affected individuals or the public. Since every company is different in their risk exposure, breach notification protocols should be established and outlined in the company’s incident response plan.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

Job Finder

Find an HR Job Near You
Search Jobs


Take your SHRM-CP/SHRM-SCP exam with confidence when you attend an in-person or virtual cert prep program.

Take your SHRM-CP/SHRM-SCP exam with confidence when you attend an in-person or virtual cert prep program.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.