Navigating the Critical First 48 Hours of a Data Breach

Does your company have a detailed incident response plan in the event that your systems are breached and potentially sensitive data is seized?

The first 48 hours after a data breach is discovered are a critical period when the reputation of the company is on the line—and, as hours turn into weeks, so are potentially the jobs of the CEO, CIO and CISO. Given the prevalence of attacks and the lucrative rewards motivating criminals, you’d think companies would have wised up. If not before the negative example of Target’s breach three years ago, then after. But the way Equifax has handled its massive breach of consumer data is proof that the same mistakes are being made over and over, with the attendant resignations of the CEO, CIO and CSO. Dear C-suite: No mulligans will be allotted for poor handling of a security breach.

Security Boulevard asked a wide range of security experts to detail the five most critical steps that any business should take during the first 48 hours following the discovery of a data breach. There was a wide range of responses with significant overlap in a couple of areas, which was clarified by the question: What is the single most important step you should take in the first 48 hours? There was widespread agreement that companies should follow a prescripted incident response plan.

What’s more, most of our experts asserted that the single biggest mistake companies make is to either not follow their incident-response plan or, more likely, not have one. Adroitly managing the first 48 hours of a data breach requires preplanning at a level that many companies probably haven’t considered.

“It’s not what you do in the first 48 hours that determines whether you can successfully mitigate a data breach; it’s what you’ve done beforehand in preparing for such an event,” says Kevin R. Powers, professor of Cybersecurity at Boston College. “The companies that have an incident response planning team will be much better able to weather the storm.”

Powers adds, “Your incident response team should not be meeting each other on the day of the data breach, nor should you be calling law enforcement that day for the first time. Those relationships should already be in place, along with retainment of outside counsel and your forensics team. Negotiating a contract for legal and forensic services during a breach is a costly waste of time, especially when your energy should be focused on mitigating the breach.”

Communication is another step that many agree is important in the first 48 hours. But communication to customers and end users can be a crucible for many companies, since “it could take days or weeks before you really understand the magnitude of the breach and what may have been stolen,” says Josh Zelonis, senior analyst, Security and Risk at Forrester. And yet, regulations for some industries or states require you to report much earlier than that. “California had a 72-hour breach notification law that passed in 2003. It was extended to 15 days in 2014 because 72 hours wasn’t enough time to get mobilized and really understand the problem before notification.”

Since no two experts agree on the same set of steps to take at the outset of a data breach event, what follows is an amalgam based on the answers of the experts who contributed to this story.

Take These 5 Steps in the First 48 to 72 Hours

1. In preparation for a possible breach, create a prescripted incident response plan and identify a team consisting of contracted external expertise and key internal personnel to carry it out. Key stakeholders might include internal and/or external incident response management, forensics, security/privacy legal counsel, public relations, human resources, security personnel, IT personnel and others. The companies that are most likely to come out of a data breach in the best shape are the those whose incident response team practices with a playbook of different scenarios and situations.

2. Contain the breach. Prepare in advance to bring in outside expertise if needed.

3. Launch the effort to determine the cause of the breach and to remove the vulnerability by bringing in your previously contracted forensics service and/or qualified in-house resources. In good measure, this entails gathering and correlating logs from all security controls. Preserve all evidence.

4. Communicate to employees immediately and publicly as soon as possible—within 48 hours if sensitive data is known to have been compromised. “This is where a breach-notification services provider can help you with things like call center support, notification letter mailings and offers of identity theft monitoring/protection services to affected individuals,” says Heidi Shey, senior analyst, Security and Risk at Forrester. She advises that companies connect with such a company before disaster strikes to develop a prebreach plan. In your communications: Be honest, avoid defensiveness and take responsibility.

5. Team members should document key findings and facts for an after-incident evaluation meeting when things are wrapped up. “Discuss what went wrong and what needs to be done to prevent it from happening again. If you haven’t faced a significant incident in some time, use the latest news stories to role-play within your organization,” says Darrell Switzer, managing director of Incident Response at Kudelski Security. Ask questions such as, “What would we do if that happened to us? Would we be able to detect the compromise and limit the breach?”

A Raleigh, North Carolina law firm called Smith Anderson has long been a notable point of reference regarding preparing a company for a data breach because of its comprehensive Data Breach Checklist. It’s a good place to get your feet wet.

Scot Finnie

Avatar photo

Scot Finnie

Scot Finnie is an award-winning business and technology journalist, reviewer, columnist, editor, and manager. He was the editor-in-chief of Computerworld for 10 years. He's been a Windows and macOS operating system expert for two decades. He torture-tested laptop PCs. Was ZDNet's first editor.

scot-finnie has 14 posts and counting.See all posts by scot-finnie