ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > The Difference Between a Data Breach Notification Plan and an Incident Response Plan

The Difference Between a Data Breach Notification Plan and an Incident Response Plan

| Published: 4/9/2012 8:00 AM | Permalink | Email this Post | Comments (0)

Steve Markey

Steve Markey In light of the data breach involving Zappos in January 2012 and Matthew J. Schwartz’s article in InformationWeek, I decided to use this space to highlight the similarities and differences between a data breach notification plan and an incident response plan.

Both types of plans require stakeholder ownership, a working document, resource allocation and a willingness to practice what the organization preaches through testing. However, an incident response plan deals with a known-unknown, while a data breach notification deals with a known-known. The latter means that an organization responding to an incident is dealing with a perceived problem, and once the incident is determined to be an actual problem then the organization will have to execute on its data breach notification plan.

Incident response and data breach notification plans differ in that data breach notification planning deals with the law vs. standards and/or best practice, as is the case with incident response planning. Furthermore, the scope of a breach notification action can quickly spiral out of control when multiple jurisdictions are affected. Beyond the law, breach notification is externally focused, which requires a well-crafted message for the customers, partners, vendors, media, public and/or government.
A breakdown of the nuances of each type of plan follows.
An incident response plan:

  • Is a response to a perceived incident
  • Is predominantly internally focused (e.g., employees, contractors, partners, vendors)
  • Should be a requirement that is driven by industry standards, internal best practices and/or operating procedures
  • May encompass multiple nuances pending the affected business ecosystem
  • Requires determined process and communication flows
  • Requires testing

A data breach notification plan:

  • Is a response to an incident
  • Is externally focused (e.g., customers, partners, vendors, media, public, government)
  • Is a requirement that is driven by data protection and privacy rules and regulations
  • Is costly (e.g., monetarily, customer approval/trust, brand, partner relationships)
  • May encompass multiple nuances pending the affected jurisdictions/geographies
  • Requires a well-crafted message
  • Requires testing

Read Steve Markey’s recent Journal article:
Testing Your Computer Security Incident Response Plan,” ISACA Journal, JOnline, volume 2, 2012


There are no comments yet for this post.