If a data breach can happen to Home Depot and Target, it can happen to us,” says Lee Bailey, Director of IT Security and Operations for ABC Fine Wine & Spirits, a mid-sized business in Florida with 140 locations and around 1,000 employees.

Four years ago, ABC’s CEO Charles Bailes III took the initiative to champion a more robust data security program at the company, starting with prevention efforts such as beefing up IT security, working on a data breach response plan and acquiring cyber insurance. To drive buy-in from the rest of the business, the CEO personally attended all six of the first major meetings to set up the incident response plan and teams.

“We’re focused on service excellence, and part of that is having a plan in place to mitigate damage to ourselves and our guests” in the event of a cyberattack or data breach, says Bailey.

A team of IT security and legal counsel helped to form the response plan moving forward, working with consultants at CyberScout (previously named IDT911) to craft robust, effective data breach prevention and response plans.

The response plans were developed to be more of a three-team sport. There is the executive team that was at the forefront of the effort, making sure that there was the right buy-in and resources available, says Bailey. Then, ABC developed a first-response team that looked at potential breaches and evaluated their efficacy and impact. If it were verified as a real breach, the incident response team would be deployed to triage. The incident response team would involve not only the IT team, but people responsible for public relations, legal and operations to ensure that everyone is on the same page about how to respond.

The first task was to evaluate where sensitive data is, how much there is, and who has access, and what resources and plans were currently in place to respond to a breach. After examining ABC’s pre-breach posture and determining what technology to put in place to protect data, the enterprise looked to develop a crisis management standard for during a breach, as well as a system for post-breach response, including reporting, guest management and documentation.

One vital element of having a breach-ready enterprise was getting all contracts and services decided, negotiated and in place prior to needing them, says Herb Whitehouse, In-House Legal Counsel and Director of Legal Services for ABC Fine Wine & Spirits.

“We don’t want to spend time negotiating contracts for resources during a breach,” says Whitehouse. A few experts are on-call, such as an attorney specializing in data breaches (and whose fees would be covered by a cyber insurance policy), a forensics firm and an external communications specialist who could help address the media and customers following an incident. If a call center is needed for post-breach customer service, ABC Fine Wine & Spirits already has a written agreement in place with CyberScout, so guests will be well taken care of throughout the process.

Whitehouse is also looking into adding another CyberScout service, which would provide data breach aid and customer service for ABC employees, so if an employee’s credit card is compromised elsewhere, they can rely on the employee benefit to provide information, assistance, peace of mind and education about good cyber hygiene, which could bring benefits in employee productivity and cybersecurity back to ABC.

Cyber insurance was also on the list of key contracts, and getting a policy actually helped direct ABC to other trusted experts and vendors in the cybersecurity arena, as many insurers have lists of preferred vendors.

“Organizations have been, maybe, over-relying on cyber insurance, and not everyone knows what’s in their cyber insurance policy,” says Eric Hodge, Director of Consulting at CyberScout. “It’s a little sad when you get to that point of someone calling about a breach, and they don’t know if the incident response component is covered or just the cost of notification or maybe some of the business or customer losses that they may see as a result… It’s important to remember that good practices go along with having that insurance. It’s almost like how you have to drive your car safely in addition to having auto insurance. The auto insurance isn’t going to keep you from getting in a wreck, and you don’t want to be in a wreck no matter if you’re insured or not. It’s your responsibility to be proactive here, in taking the measures and putting the right measures, technology and educational components into place so you can avoid falling back on those insurance policies.”

“A lesson learned here was: Just start,” says Bailey. “If you start, it will take you down a path.”

He adds that “Security is a nebulous term, and at the beginning of the process, you should pick a standard (such as the NIST Cyber Security Framework, or a more sector-specific guideline) that makes the most sense and measure your program and efforts against it.”

In addition, companies should ensure that policies and procedures are improved every year, Bailey says, and they should perform tabletop exercises and drills to gain insight into their crisis response. ABC is working to educate team members through phishing tests and compliance training, and Bailey and Whitehouse are always on the lookout, with help from their partners, for ways to make their tools and procedures better.

Where to Start on Your Data Breach Response Plan