ID Experts is in the business of dealing with privacy breaches.  They have a variety of incident response services and tools.  Today Jeremy Henley, Director of Breach Services, ID Experts joins us to talk about breach response plans.

[podcast]

A Breach Response Plan is something you will need, not something that you may need.

It isn’t a matter of if you will have a breach but when you will have one.  The questions you have to answer in your business are:

  1. How much can you limit what they can do when they get in by working your compliance and security plans
  2. Are you prepared with an effective breach response plan to handle the fallout when it does happen.

The details required in your breach response plan lays out how you handle the long list of things that have to be addressed when the bad things happen.

Breaches happen to all types and sizes of businesses.  Since every breach is a unique case there has to be a way to address things in a customized way based on the type and size of the breach while having a overall plan to handle all breach cases no matter the type or size.  To build your plan you have to think about things both ways.

Costs for adding a company like ID Experts to your plan isn’t up front, thankfully.  It also isn’t priced based on what is required when a breach happens. That means no matter what your needs control the prices they set.  Kardon often has clients set up an account with ID Experts as part of their breach response plan.  It doesn’t cost anything just to be someone they know.  We found it helps create at least a “go to” person for all the things you may not be prepared or able to handle.

As Jeremy mentioned, “The clients we serve don’t know when a breach is going to hit and neither do we”.  That means that your plan as to be able to scale up quickly when it is needed and then back down when it isn’t required any longer.  Keeping costs down on those kinds of things while also have a plan to respond can be a big challenge for any group but especially smaller organizations.

It would be really difficult to have a for-profit fire department because you just don’t know when you are going to need them. – Jeremy Henley

Your breach response plan has to account for all kinds of things.  The list of services bundled by ID Experts is based on things people actually need them to do after a breach.  Using that list can help you check your plan details to make sure you have it all covered, too.

ID Experts YourResponse Package of Products

  • Forensics
  • Notification & Crisis Communications
  • Credit Monitoring
  • Identity Monitoring
  • Health Monitoring
  • CyberScan
  • ID Theft Insurance and ID Theft Recovery

When you do have a breach you want to be able to follow your breach response plan and not panic.

Your plan needs to address how to deal with breaches of information relating to people who aren’t in your local area.  Do you ever see a patient from out of town or one that moves?

Does your staff really know what to do if someone puts a microphone in their face asking about the breach you just had to publish in a news release.  If you aren’t prepared when these stressful things happen you can lose control quickly.

Identity theft protect is one thing but what about your medical record information.  How do you cancel a medical record?  There are all kinds of protections you can offer to patients or at least explain to them as an option.

Once you do have a plan all the team involved in breach response needs to be trained.  Your plan should also be reviewed and tested on a regular basis. Testing is usually done in a discussion format.  Doing a tabletop drill where you discuss scenarios and how you will respond.

Is CyberSecurity Insurance worth it?  Yes.  Be aware of what you are getting and what is covered – that should also be part of the plan.  Use a broker that really understands cybersecurity policies for HIPAA CEs and BAs.