Breaches, lapses, incidents. They are going to happen, and they are going to happen to you. How you prepare will make a huge difference both mid-crisis and post-crisis. That was the premise of a session at the IAPP’s most recent Practical Privacy Series in New York City.

Experts Emily Stapf, director of cybercrime and forensic investigations at Pricewaterhouse Coopers; Mark Seifert of Brunswick Group, and Tim O’Brien of the FBI’s cybercrime division focused on the reality that organizations must shift from the mindset that breach preparedness is important  because a breach might occur and understand that breach preparedness is important because a breach will occur—and it’s only a matter of time.

Before a breach, during peacetime, Stapf suggests walking through the company playbook to ensure the appropriate policies are in place, particularly surrounding data.

“Much like an IT team would go through exercises, think of data breach prep in the same light,” she said. “The opportunity before you have an active breach is for you to really lock down on what kinds of sensitive data you have in your organization and where it is—document data flows.”

The experts discussed the people, processes and technology organizations should employ to ensure the best possible outcome before, during and after a breach occurs.

Before the breach


  • Know who you’ll call for help.
  • Establish an incident response team.
  • Provide regular training for employees; keeping an outside team—including forensic experts, privacy counsel and communications firms—close by.


  • Know what data you are protecting and where it is stored.
  • Go through hypothetical breach scenarios with a response team.
  • Know which employees have access to which applications and learn what the reporting obligations may be in case of a breach.


  • Enable network logging, and be sure it’s sufficiently large.
  • Back up servers and be sure backups are under control.
  • Enforce records management, and destroy old data.
  • Implement full-disk encryption on laptops.
  • Implement increased security measures, such as password standards.
  • Implement DLP to monitor the perimeter.
  • Effectively manage security integration from acquisitions.

Seifert said communication is an essential part of the data breach response, and a plan should absolutely be established before a breach occurs.

“I would want to know ‘Who am I calling first?’” Seifert said. “I would want to know my social media avenues, who my friends are, who my enemies are. And if I’m front-and-center and leading in the privacy world, I want to know who my advocates are. Who can step in and say, ‘They are doing a great job; they’ve got the right attitude. They care about who their customers are.’”

Mistakes are inevitable, he added, but how a company handles an incident is what will differentiate it from its competitors.

During the breach


  • It’s important to keep the people who are “in the know” small.
  • Engage forensic experts, a communications team and privacy counsel from the beginning.
  • Effectively manage incident response project management.
  • Anticipate threats internally and externally.
  • Consider the impact of third parties.


  • Act immediately to remediate vulnerabilities.
  • Don’t reach out to the public too soon.
  • Cast a wide data-mining net.
  • Document actions taken to share with regulators later.
  • Update investigative team.
  • Do not communicate preliminary numbers.
  • Consider each finding’s business impact.


  • Take live memory dumps before shutting down servers.
  • Insist on full forensic images of servers and laptops.
  • Pull network logs immediately, and increase log capacity.
  • Pull oldest available backups.
  • Rest passwords quickly.
  • Be careful with evidence handling.

Stapf said it’s essential to have full-disk encryption and servers that are backed up and intentionally tested

“You’ve got to be testing these things as you go,” she said. “The biggest thing from a technology perspective is making sure you’ve got logging enabled. Network logs are digital fingerprints that tell you who traversed the networks at which point in time. It’s extremely valuable when the breach happens, but before the breach, you’ve got to turn it on.”

The FBI’s O’Brien knows firsthand how messy post-breach investigations can be.

“Our job is to figure out who did it,” O’Brien told the crowd. “In almost every situation we’ve dealt with, and we deal with a lot of really big companies, there’s confusion on the company’s end as to who on the network team has access to what—that is, who can actually go and pull things off of that computer so we can get some evidence that there’s a piece of malware.”

O’Brien said the FBI’s cybersecurity team tends to be focusing less on scams these days and more on intrusions, such as spear phishing, for example, which has become an increasingly popular way to steal data.

“It’s important to be aware of that, because it works, and it’s the simplest way to do it,” he said.

After the breach  


  • Use the breach exposure to promote the enhancement of the security program to the board.
  • Revisit data governance structure, including security, legal and risk management.
  • Deliver the employee base with a transparent and consistent message.
  • Use the opportunity to roll out privacy training.


  • Don’t assume it’s over until it’s over.
  • Use the opportunity to expand privacy and security programs.
  • Document lessons learned.
  • Do not overcommunicate or revise numbers.
  • Anticipate long-term regulatory scrutiny.
  • Use the opportunity to build privacy and security into new initiatives.
  • Build a playbook.


  • Develop a remediation plan with technology enhancements.
  • Test remediation actions.
  • Consider global improvements.
  • Preserve investigative evidence.
  • Change encryption, external media, USB and e-mail policies.
  • Reconsider cloud and third-party technology providers’ preparedness.

Stapf said ahead of any investigation following a breach, it’s imperative not to allow an underqualified individual to take control of forensics, and it’s essential those involved don’t try and target what they believe to be evidence.

“You don’t know yet if you’re floating on the tip of an iceberg or dealing with an ice cube,” she said. “Make your net of data capture broader than you think it needs to be. Inevitably, you’ll go back to extreme data sources and say, ‘We’ve proven it didn’t go beyond where we thought it did,’ or you’ll know an investigation needs to expand."

Staph went on to say that it’s imperative servers are not unplugged right away, though that may be the first reaction.

“One of the things (O’Brien) is going to want to see when he comes in to help is what kind of active malware was running at the time you noticed the breach, and those pieces only exist for a fleeting moment on a system.”

Seifert said, throughout breach management, a company’s messaging is essential. A communications strategy must be developed, and any part that can be prebuilt  should be.

“Even if you get the law right but you get the communications strategy wrong, you’re going to get pillared in the public, and you will lose,” he said. “Your brand may be tarnished, and that may cost you a lot more at the end of the day than just paying for credit-monitoring.”

Seifert suggested organizations resist playing “the blame game” and instead focus on what the customer wants and needs to know, such as, “Are you going to take care of me? Has the bleeding stopped?”

It’s damaging to convey to an affected consumer that the breach is minimal and unimportant.

“If it’s my information, it’s really big, and I take it really seriously,” Seifert said. He added it’s important to know who the relevant regulators are and how they interact, and guarantee that any internal documents do not circulate.

Any commitments an organization makes to the consumer early on in the breach investigation process must be followed through, he said.

“You have to live by those commitments. If you don’t do right by them the first time, they won’t believe you the second time. And there will be a second time.”

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»