Data Breach Response: The Continuous Improvement Cycle

Ever tried? Ever failed? No matter. Try again. Fail again. Fail better. So said Samuel Beckett. And quite pertinent in the context of data breaches. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains that, in a world where a data breach is almost inevitable, learning from past failures and continuously improving is the key to mitigating data breach risks in future.

Culture of continuous improvement

The culture of continuous improvement is imperative to the success of your business. Despite operating carefully designed information security and data protection systems and adhering to information security and data protection policies, data breaches are likely to occur to every business at some stage. The key performance differentiator for your business will be how your organisation reacts to a data breach and improves after the incident.

Capture, configure, communicate

These three elements – capture, configure, communicate – focus upon a system that can help your organisation acquire information, build institutional knowledge, and assimilate learning points into operational systems.

Capture: This means the adoption of a reliable system that can immediately capture important incidents and information for future analysis and review. All incidents should be at least logged, and the log should contain essential information for future analysis.

Configure: Logged information should be regularly reviewed and configured in order of priority. This supports task allocation in respect of remedial efforts, response and planning.

Communicate: Communication goes vertically and horizontally – throughout a team and across the different teams and departments of your organisation. The people of an organisation are the first line of defence and the best weapon against information security threats. The capability and impact of a single person is limited when measured against the scale of current cybersecurity threats. Building institutional memory means that the memory must be stored and accessible by the people in the organization at any time and whoever they may be. Succession planning is built into the improvement cycle for the organization.

This allows the brains of many (not the will of one) to work together and align to a common goal of information security.

Continuous improvement

There are three elements in a continuous improvement cycle.

First, there must be a consistent monitoring system in place to improve internal processes. There should be consistent testing, assessment and analysis of policies and procedures, and their implementation; all focused on finding and resolving stress points and weaknesses so that the information security is robust, resilient and reliable. Although monitoring should be consistent, it should not only comprise routine, regular assessments. Spot checks, external penetration tests, and ad hoc assessments are all important means.

Combine monitoring processes with feedback analysis and evaluation. The intention is to create a virtuous feedback loop. Testing and analysis provide feedback from which lessons are learned, from which improvements are documented and made, which lead to renewed testing and analysis, and so on as matters continuously progress and improve.

Second, there must be a programme of learning that is focused on the external environment. Otherwise, there is a risk that information security will be insular and will calcify. Relevant persons in the incident response team should gain relevant industry certifications in information security and attend the continuous learning and development programmes needed to maintain those certifications. This will connect those persons with peers in similar businesses. This is important as it increases the opportunities to learn from the experience of others and brings external knowledge and know-how into your business and organisation.

Third, there must be a programme for incident reports and analysis. This incident driven analysis will give specific intelligence about improvements that are necessary. Incident analysis is not just about the narrow fix to a single incident. It is about finding root causes of deeper problems or patterns that might suggest a more systemic risk. This involves a form of incident analysis that correlates to previous incidents and identified trends that need investigation and attention.

Third, there must be a programme for incident report and analysis. This incident driven analysis will give specific intelligence about improvements that are necessary. Incident analysis is not just about the narrow fix to a single incident. It is about finding root causes of deeper problems or patterns that might suggest a more systemic risk. This involves a form of incident analysis that correlates to previous incidents and identified trends that need investigation and attention.

Data breach response

A serious data breach may provide potentially transformative information that can help to improve the information security of a business in future. This is why a data breach response is not complete until there has been a rigorous post-mortem of the data breach and the effectiveness of the response to it. Critical self-examination is necessary, and tough questions must be answered. What worked well? What did not? Where are the areas for improvement? These points of learning must then be captured, configured and communicated across the team and must become part of the continuous improvement cycle for data breach responses.

Closing thoughts

Data breaches are almost inevitable. So there will always be a degree of failure in the resilience of any information security system. Adopting a continuous improvement management system will reduce errors and their impact. A business may fail better, but only if it learns from each diminishing failure.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh
Partner | E-mail

Nigel Stamp
Foreign Legal Consultant | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.