If the threat of a data breach at your business has not moved you to action before now, the recent deluge of headlines regarding breaches and cyber attacks at healthcare facilities and retail businesses should be getting your attention. In fact, earlier this year, the FBI took the step of issuing a Private Industry Notification stating that the healthcare industry “is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats.” The FBI noted from a February 2014 SANS report: “Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., VPNs, firewalls, and routers) were compromised” with the biggest vulnerability being “IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.” And increased use of cloud service providers raises even more questions of whether there is adequate security in place. But enough of the scare tactics.

Maybe you are stymied by just what to do. Uncertainty leads to ambivalence, which results in inaction. And to invoke a cliché: when it comes to data breach prevention and preparation, perfection is the enemy of good. You will not find a perfect system for preventing or preparing for a breach. So, if you have put off learning about how to prepare for a data breach, or if you have a pretty good idea of what to do but have hesitated, the time to act is now. And that means having a plan.

Start by acquiring knowledge. This means determining which standards apply to your business and how to comply with them. If you are a healthcare provider, the federal Data Breach Notification rule applies. But healthcare and non-healthcare businesses, alike, are subject to state data breach notification laws, such as New Jersey’s Identity Theft Prevention Act. If you operate in multiple states, you must know what each state’s data breach notification law requires. Then there are security requirements related to credit card transactions. Additionally, you must know what contractual promises you have made—and whose promises you are relying upon–related to information privacy, security, and data breach notification.

The next step is to draft your team, both internally and externally. Within your organization, include people whose jobs give them different perspectives and skill sets to address where the security risks lie and how best to respond to them, both prior to and after a breach. Externally, you want to have vetted, and standing by, a team of experts who can guide you through the legal analysis (Which laws apply to this particular incident? Does this incident constitute a “breach”? Who must be notified, how and when?) and who can respond timely and skillfully to provide the required forensic investigation, evidence preservation, audit, mitigation, and correction that must be part of your response. In other words, who are you going to call once you get the call? This is a team you must put in place now, not when the breach happens.

So no more excuses. This is the framework for your data breach plan. This is how you prepare to act. *

The content of this article is for informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You should consult a lawyer concerning your specific situation and any specific legal questions you may have.

FBI Cyber Division, Private Industry Notification, 04/17/14, PIN #:140408-010 https://www.vendormate.com/sites/default/files/Health-Systems-Cyber-Intrusions-FBI-PIN-140408-010.pdf