Data breach scenarios are the stuff of nightmares among IT security professionals, but logic tells them that it may only be a matter of time before their organizations fall victim to an external attack or internal mistake. When disaster strikes, the degree of damage is often dependent on how teams have prepared themselves for such contingencies. Most importantly, managers will have to understand how to calculate data security vulnerabilities and who to call for a helping hand.

Severity
Before moving forward with an effective data breach resolution strategy, affected organizations must survey the scope of the damage. For instance, which databases have been compromised? Was the missing information covered by data encryption software? Which stakeholders could be affected?

As Network World noted, breaches rarely occur in neatly contained environments. More likely, the incident could affect operations for several business partners - and potentially across international borders.

Naturally, not all companies will have the requisite forensic expertise on the payroll. But especially for small business managers, that talent should be on-call. According to Dark Reading, having a list of qualified, credentialed security consultants to lean on is one of the most important security precautions an SMB can make as they attempt to balance risk management priorities with financial realities.

That is not to say, however, that these firms cannot take proactive steps toward mitigating the potential damage consultants find. By encrypting sensitive data from the start, companies can effectively nullify the value of any lost or stolen files that ultimately find their way into the hands of unauthorized viewers.

Legality
Once the anatomy of the attack has been fleshed out, the next step should be determining how the incident could impact data compliance standings. According to Network World, local - and potentially federal - data breach notification laws often demand a call to associated authorities within hours of discovery.

Additionally, legal experts may need to be consulted or recruited to help companies delineate their responsibilities and liabilities for any data covered by Health Information Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) or Federal Information Security Management Act (FISMA) statutes. If customer lawsuits or regulatory sanctions are a possibility, time is of the essence in constructing a legal strategy.

Publicity
Finally, companies will face a number of tough decisions when shaping their public response to a data security incident. First and foremost, management needs to understand the legal obligations they have to inform entities and individuals that were potentially affected by the event(s).

According to Network World, the political climate is growing increasingly intolerant of negligent corporate security practices. As a result, companies that attempt to hide or downplay their troubles could be worse for wear. Alternatively, transparent stakeholder communications about what information may have been affected and which data security solutions will be put in place could help significantly mitigate residual reputational damage.