Cyber incidents have been growing at an exponential rate in recent years. A recent report from the Identity Theft Resource Center found that there were over one billion data breach victims in Q2 of 2024, which is around five times the number of victims accounted for in the first half of 2023.  

Organizations looking to protect themselves from the financial and reputational impact of a data breach need to have a robust and carefully strategized response plan in place, and that response plan begins with an effective notification strategy. The execution of that strategy can impact everything from regulatory penalties to class action litigation to the trust of clients, partners, and employees. 

One silver lining of the continuing upward trend of data breach incidents is that organizations and industry experts are continually developing stronger and more effective strategies for handling them. Using that hard-earned knowledge as a playbook can help organizations mitigate damage if and when a data breach does occur.

Understanding Data Breach Notification Regulations

Data breach notification is not only crucial for keeping stakeholders, employees, and data breach victims abreast of the ongoing incident, but it’s also an obligation under state, federal, and international law. Understanding those regulatory obligations is the foundation of developing a sound response plan.

In the United States, data breach notification legislation is currently comprised of a patchwork of state-level laws. Organizations operating in the healthcare, financial, and insurance industries are also beholden to industry-specific regulations. Internationally, data breach notification obligations can vary widely. 

Complying with these data breach laws, and potentially juggling several at once, is one of the more difficult aspects of creating a strong cyber incident response strategy and it’s a common reason for ineffective incident response. 

Epiq VP of eDiscovery and Cyber Solutions, Brandon Hollinder, found that in many data breach responses, “People didn’t necessarily take the time to understand [compliance] obligations up front and that can slow down the actual response or their ability to comply.”

This is why it’s crucial for organizations to not only understand all applicable data breach laws during an incident, but to also understand what data they have, how they keep it, where and for how long it’s stored, and why it’s being stored. 

Contractual Data Breach Notification Obligations

Contract provisions regarding data breach notification can place significantly more pressure on organizations following a cyber incident. While state laws may offer a 30-day window for notification, and often even more than that, some contracts reduce that timeframe down to as little as 24 hours. Meeting those obligations requires an effective contract management system, which can more easily be established with the help of Contract Lifecycle Management tools.  

Best Practices for Developing an Effective Data Breach Response Strategy

Notification is a critical aspect of an effective data breach response, but it’s only part of it. Ensuring effective notification means having a robust response plan in place. That plan should include the following:

Retaining Breach Counsel

Data breaches are complex incidents that move at a breakneck pace. If organizations are rushing to better understand effective response strategy in the midst of one, they will be moving far too slow. That’s why retaining expert counsel with hands-on experience in data breach response is vital.

Given the complexity of a data breach incident, it’s unlikely that engaging inexperienced counsel will provide an effective response, and according to Brandon Hollinder, it can even be detrimental. He says that “one of the challenges we have is when we’re helping a client on [a data breach incident] and they’ve engaged counsel that isn’t an expert on this, who doesn’t do breach or cyber or security all the time…those are the hardest cases to work through.” 

Expert breach counsel can operate like a quarterback during cyber incident response, delegating responsibilities, unifying the response, and mitigating risk. A common error for many organizations is to panic following a cyber incident and hastily reach out to third party vendors without a unified strategy in place, resulting in a chaotic and ineffective response. Breach counsel can help to avoid this issue.  

Notify Insurance Broker and Carrier First

The first step for organizations responding to a cyber incident should always be to inform their broker and carrier. It’s common for organizations to avoid notifying insurance promptly, as they fear the impact it will have on their premiums. In reality, data breaches are so commonplace today that an effective response can actually show insurance carriers that the organization is a reduced risk rather than a heightened one.   

Developing a Unified Voice

Mixed messaging during a cyber incident response can indicate incompetence at best and dishonesty at worst. No matter who these conflicting communications are directed at, they will be looked at as an alarm bell that can not only result in broken trust, but in regulatory penalties and class action litigation.

Breach counsel can work to unify communications across all channels, provide all crucial information, prevent oversharing, ensure maximum transparency, and share relevant updates. Breach counsel can also communicate with law enforcement, as they have developed a rapport and have experience in effectively communicating with these organizations.

Remaining Prepared

The efficacy of the immediate post-breach response is going to be determined by how much planning is done ahead of time and how good of a plan was put in place. That time up front allows for the correct execution when an actual event arises.

Data breach response is not something that can be handled on the fly. Organizations must have a clear plan in place well before an incident occurs. Responsibilities should be delegated, strategy should be communicated, and third-party help should be on standby. 

Data breach response strategies can be clarified and strengthened with the help of tabletop exercises designed to simulate the planned response in real time. These exercises won’t just help stakeholders understand their role in the response, but provide a sense of confidence and muscle memory that can mitigate risk and allow them to keep pace 

Every organization is different, which means that an effective data breach response plan must be tailored to that organization’s unique needs. Third-party vendors should understand the organization, their client base, their financials, and their workflow to ensure an effective response. 

Rebuilding Trust

There will likely be some reputational damage incurred following a cyber incident, but an effective response strategy and notification protocol can help to mitigate it and allow for trust to be more easily regained. How an organization responds, the team it has put together, the quality of communication, and the level of transparency are all significant factors. 

“You can’t go back an undo that event that happened, so what can you do to show the positives? If you don’t have a unified message…that’s where you can run into challenges…and that’s where you lose the trust.” – Brandon Hollinder

Conclusion

There is no surefire way to avoid a data breach which means a robust response plan is critical, and that includes a clear plan for notifying the necessary entities. Because data breaches are so complicated and the related risks are so high, developing that plan is not something that should be kept strictly internal. Working with data breach experts prior to and during an incident helps to ensure an effective response strategy and compliant notification protocol. Remember that the efficacy of an incident response is largely decided prior to the incident occurring. That’s why preparation is paramount.