For companies holding federally- or state-protected personal information, personal health information, or even trade secret information, developing an effective incident response plan (Response Plan) is crucial. In fact, a Response Plan is almost as important as the written information security plan (WISP).
Companies such as Target, E-Bay and Snapchat experienced financial and reputational harms following recent breaches at least in part attributable to slow moving and ineffective response actions. The same has been true for smaller companies that have mishandled computer incursions or lost unencrypted laptops or data disks and been subject to adverse publicity and governmental sanctions. Whether or not these companies had Response Plans in place, they failed to adequately execute after their respective data breaches.
An effective Response Plan needs to guide company personnel at all levels in managing a potential data breach in a way that supports rapid and thoughtful response activities. For all companies, and especially those with substantial exposure to data liability, Response Plans must be considered an integral part of the WISP, and should include the following key elements.
Assemble an Internal Team
Companies with significant protected information should go beyond referring breach questions to the WISP responsible manager and formally establish a breach evaluation and response team to guide the company’s actions following a breach of substantial protected information (excluding a lost laptop or mis-sent email disclosing information of only a limited number of employees or customers). The size of the team will depend on the geographic reach, sophistication and data loss exposure of the company, but it can include:
- the WISP responsible manager;
- legal counsel (both internal and outside counsel);
- an information technology manager;
- a human relations manager;
- an operations manager; and
- corporate communications and government affairs personnel.
At minimum, the team should be tasked with advising top management and corporate boards of key breach and response developments; communicating internally to all employees that the potential breach has occurred, an internal team is addressing it and, critically, that internal emails by non-team members should be avoided in order to limit liability through uninformed speculation that may be discoverable in a subsequent breach-related litigation; tracking and meeting all applicable breach-related deadlines imposed by applicable law and vendor agreements; and making sure internal discussions and response plans are protected by attorney-client privilege and/or work product protections, to the greatest extent possible.
Identify External Data Security Resources
Breach developments can get out of hand before the company can identify, interview and hire the experts needed to help the company meet breach-related obligations and minimize liability. A good Response Plan will identify each outside resource, provide full contact information and include a backup person in case of unavailability. With respect to specific resources, in addition to experienced legal counsel, the following should be considered and made available in advance:
- computer forensics experts who can image a potentially compromised computer, server or network, confirm and analyze the extent of incursion, and fix the problem;
- public relations professionals who can help with public-facing statements and press contacts if the breach is publicized;
- operations personnel who can help with dissemination of Response Plan-related information and action items as well as website changes and short-term call center expansions if needed to meet consumer information needs; and
- insurance brokers who can swiftly identify available breach-related benefits under general policies and, where applicable, specialized cybersecurity policies and help provide formal loss claim notices.
Differentiate Breaches
The Response Plan should have sufficient flexibility to establish an appropriate and effective process for different types of breaches. For example, while minor breaches can be left to the discretion of the WISP responsible manager, others may require consultation with the full response team and across offices. Additionally, different personnel may need to be on a team depending on the significance of the breach (whether it is at a mid-size or company-threatening level), type of breach (whether computer incursion or insider employee theft) or type of the information at issue in the breach (whether the breach involves social security numbers, credit or debit card numbers, personal health information or trade secrets).
Create an Action Item Checklist
Well-crafted Response Plans for larger companies should include a checklist of prioritized action items to be completed immediately after the company learns of a potential significant data breach. Some key items include:
- recording the date and time the breach is discovered;
- finalizing and activating both the internal and outside response teams for the type of breach;
- establishing a secure perimeter around any equipment or systems believed to be part of a breach and taking potentially compromised system off-line to avoid additional incursions;
- conducting initial interviews of those with critical knowledge of the potential breach;
- getting forensics personnel on site to make a secure copy of the affected systems so they can be fixed without compromising assessment of the manner of breach; and
- beginning to discuss action items to be undertaken over the next day or days.
Importantly, for hacked computer systems, companies should try to avoid making public statements until forensics determines an unauthorized incursion occurred. A false alarm can do serious and unnecessary harm to the Company’s reputation.
Track Key Breach-Related Rights, Obligations and Deadlines
While any well-constructed WISP should identify the key legal obligations the Company must meet under applicable state or federal laws, especially any deadlines for reporting or responding to potential breaches, the Response Plan should track all data security-related deadlines. This is particularly true for bi-lateral contract security provisions with your vendors (or involving you as vendor with your client companies) that require additional data security-related notice, reporting or task completion deadlines. These should be tracked so deadlines and obligations are not missed through inadvertence or oversight.
Review and Update the Response Plan Regularly
Even more important than the WISP itself, a Response Plan needs to be regularly reviewed and updated – at least once per year and more frequently for larger companies. Internal and external personnel change, provider retention agreements can expire or terminate, new business lines with new risk profiles can be added, new contracts granting new data security rights and responsibilities can be entered into. The Response Plan should change to reflect current data at all times and, in particular, service provider arrangements should be kept current so external professionals are available when needed.
Given that breach-related harms for larger multi-location companies can run into the tens or hundreds of millions of dollars, such companies with data liability risks should consider running incident response “war games” to test the performance of the Response Plan team, top management and affected business units in various breach scenarios.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply