Top 10 Breach/Data Loss Objectives

By Ted Julian
11:51 AM

The Ponemon Institute recently released their Second Annual Benchmark Survey on Patient Privacy and Data Security. The study focused on actual data loss experience from a sample of 72 healthcare organizations. Compared with last year’s data, results indicate a rise in both occurrence and costs. 96% of organizations admitted to suffering from at least one breach within the past 2 years. Based on the study, the estimated financial impact of a data breach is $2,243,700 per organization. When asked which types of negative impacts were directly caused, 81% reported time & productivity loss. Other responses included: fines & penalties (37%) and lawsuits (23%). These percentages are considerably high for preventable attributes. Results depict there is great need for the implementation of incident response plans. Once a breach occurs, there is no need for organizations to expend excessive amounts of time, energy, and additional money on fines and/or class-action suits. If proper notification and breach procedures are practiced beforehand and efficiently followed, these negative impacts can be eliminated.
Co3 Systems created a Top 10 breach/data loss objectives list that helps organizations with the necessary steps in preparation of potential data breach.
Top 10 Breach/Data Loss Objectives
#10:  Know what & where your sensitive data is


  • First, first initial and last name
  • Social security number
  • Bank number / access code
  • Credit card number
  • Drivers license number
  • Unique biometric data
  • Fingerprints
  • State ID number
  • Medical info
  • Which states?
  • Electronic & paper records


  • File servers
  • Storage systems
  • Application servers
  • End-points:  PCs, laptops, mobile devices
  • Paper records

#9: Get rid of the data whenever possible

  • Delete it
  • Replace it
  • Obfuscate it
  • Encrypt it

 #8: Define your policies

  • Processes to be followed by incident type
  • Standardized interpretation of legal / regulatory requirements - Which apply?  Which don’t?  Under what circumstances?
  • Standardized, consistent process through which all incidents are handled
  • Contractual requirements you need to include?

 #7: Run assessments

  • Gauge impact of different data loss scenarios

Cyber breach, lost laptop, etc.
What tasks would you need to complete?
What fines might you be subject to?

  • Complete privacy impact assessments for proposed projects

What data is being collected?
What would the impact be if the data were lost?
#6: Build an incident response

  • Breach
  • Theft
  • Lost
  • Internal


  • Internal notifications / actions
  • Consumer notifications
  • Authority notifications


  • Agency notifications
  • Vendors / 3rd parties         

 #5: Identify and prepare your team

  • IT, Legal, Compliance, Audit, Privacy, Marketing, Senior Executive
  • Keep in mind external partners: legal, audit, security consultants, law enforcement, other partners
  • Communicate responsibilities / share the load
  • Practice (see “Run a fire drill”)
  • Training

 #4: Be ready to gather forensics
How will you gather the data you need?

  • Network activity
  • Hard drive forensics
  • Memory forensics
  • Access logs (IT and physical)
  • Logistics (paper records)

 #3: Have external resources ready

  • Call center
  • Notification fulfillment
  • Credit monitoring
  • Legal
  • PR
  • Law enforcement
  • Consultants/service providers: security, etc.

 #2: Track everything

  • Gauge performance
  • Supporting auditing/reporting
  • Identify problem areas/systems
  • Catalyze improvement
  • Calculate cost to close

#1: Run a simulation/fire drill
Don’t wait for the real thing – practice!

  • Gauge organization preparedness
  • Catalyze improvement
  • Who’s missing from your team?
  • Did you overlook a regulator?
  • Do you need to add a partner?


Ted Julian is Chief Marketing Officer at Co3 Systems.