top of page
  • Writer's picturemalwrr

Breach Response - A Rehash

Before we begin, I would recommend to the readers Data Breach Preparation and Response – by Kevvie Fowler on which this post is based on.  

I found this definition of a breach to be more appropriate and holistic; and probably the eye catcher for me to buy this book.

Data Breach is basically a security incident that:
· Involves the intentional or unintentional access, disclosure, manipulation or destruction of data; or
· Meets specific definitions of a “Breach” as per state/providence or federal laws or active contracts with clients, third parties or partners.

  • Direct costs are the immediate costs to the organization for managing the Breach including determining the Breach scope, investigation related expenses such as engaging third party forensics and legal assistance, and the costs to identify and notify impacted customers and partners. It’s reported that the direct costs on average to an organization would be $67 (USD) per compromised record

  • Indirect costs are not cash-based and alternatively account for the time, effort, and resources employees of the Breached organization spend. This generally includes Lost Business, loss of employee productivity and loss of brand value.

  • Systemic Costs are to be considered when evaluating the impact of a Breach. An example of this is within the retail industry, if one retailer is Breached and credit card data is stolen. The Breached retailer will cover the direct and indirect costs of a Breach; however, there is a cost to cancel compromised cards, to reissue new credit cards to the affected consumers and to account for chargebacks associated with the fraudulent transactions for accounts associated with the Breach. In this example the single Breach can have a material negative impact to the Breached organization as well as a cascading impact across the banks who issued the credit cards and the merchants who unknowingly processed the fraudulent transactions

Breaches are not single events that can be solved by bringing a few technologically savvy team members into a room. Breaches are one of the most complex challenges a business can face and requires proper preparation in order to ensure they are managed throughout their lifecycle. Yes, every event can be deconstructed and studied in means of a lifecycle flow diagram.


The moment an organization is alerted about a security incident. Whether the incident was detected by organizational security controls, staff or by a third party organization or individual. After the detection of an incident, it is critical that it is escalated appropriately to invoke the CSIR Plan. Several industry Breaches have resulted in increased impact to the victim organization due to the miss-handling of detection events which were ignored or not properly routed to the organization’s CSIR Team

Invoking the CSIRT

Engaging appropriate CSIR Team members to assemble and assist in the management of the incident. Internal stakeholders should assemble and as defined in the CSIR Plan determine when to bring in third party CSIR Team members


Confirms the legitimacy of the incident. Detailed analysis is not performed at this stage; however, organizations should review the source, details, and determine if it is plausible that the incident did occur within their organization as well as determine the initial scope of the incident so the appropriate CSIR Team stakeholders can be engaged to manage the incident. Analysis of the information will be performed later in the lifecycle and may positively or negatively alter the scope of the incident.

ENGAGING third parties

Engaging third party team members such as legal counsel, public relations firms, and forensic response providers. Engagement of third parties should be in a controlled manner. Organizations finding themselves unprepared during an incident often bring in redundant third parties for assistance and provide them autonomy which without clear instructions and focus can actually hinder the investigation and the investigation findings and related communication can be used against the organization if not protected under attorney-client privilege


The monitoring, collection, preservation, and analysis of electronic or digital evidence in an effort to confirm the occurrence, scope, and timeframe associated with an incident. This phase of the lifecycle should follow applicable legal requirements for evidence acquisition and preservation and assist the victim organization adhere with legal response and notification obligations as appropriate


Limiting the spread, reoccurrence, and extent of the unauthorized access within an organization. This often includes removing compromised systems from the network or shutting down compromised web applications. These steps effectively “stop the bleeding” and are driven by the analysis and qualification performed earlier in the lifecycle


Identifying and notifying affected victims, regulators, and other parties about the Breach as appropriate. Identifying regulatory, legislative, contract, and industry good practices assist in determining the requirements. The analysis and the type of information contained in the incident and potential impact to the victims will further help determine notification requirements


Restoring trust to a presently untrusted host or environment. This may include rebuilding systems and networks containing compromised hosts or restoring destroyed data from backup


Reviewing and certifying the successful recovery of the environment is an essential step in reassuring internal staff, external stakeholders, and the industry as a whole that your organization has learned and improved from the past Breach and is ready to resume trusted business operations. This step is normally performed by a team other than those who performed incident containment and recovery


Reflecting on the preparedness, detection, and management of the incident to identify what worked well and what requires focus to reduce the likelihood of a repeat incident and identifying recommendations to increase your capabilities to detect and manage future incidents

POST-BREACH activities

Managing Breach related activities which manifest after the incident has been closed. These activities typically include lawsuits by impacted organizational shareholders, clients, and partners. Organizational leadership changes due to the Breach are also commonly associated with this phase in the Breach lifecycle.

great templates and considerations during the Notification. They have provided contact resources specific to breaches related to health records

HIPAA Breach Notification Rule:

HHS HIPAA Breach Notification Form:

breach-reporting Complying with the FTC’s Health Breach Notification Rule:

and some credit bureaus: bureaus:

Equifax: or 1-800-685-1111

Experian: or 1-888-397-3742

TransUnion: or 1-888-909-8872

These are some of the challenges in Breach management in general compiled with lessons learned from actual Breaches that have occurred in the industry. You just don’t want to be that company.

1. Waiting too long before disclosing a Breach and notifying customers

2. Staffing an incident response team with solely technical experts

3. Ineffective operationalization of an incident response plan

4. Demonstrating a lack of support and empathy for Breach victims

And to sum it all up

“Tomorrow’s battle is won using today’s practice to manage yesterday’s Breach.”

- Kevvie Fowler, in Data Breach Preparation and Response, 2016

42 views0 comments

Recent Posts

See All


bottom of page