It is important for organizations to be prepared to respond to a data breach. The below is an excerpt from an article written by Ice Miller's Data Security and Privacy Practice which provides some practical suggestions for preparing an organization to respond to a data breach.
Evaluating the Severity of a Data Breach
In the event of a data breach, a response team may be charged with identifying the severity of the breach. Detection and analysis of a breach are often difficult tasks. Legitimate symptoms of a breach are usually mixed with false positives, unreliable indicators, or hidden amongst other acceptable activity. For example, a company may be experiencing a cyber-attack which is only meant to mask an earlier theft of data. Therefore, the breach response team must be fully capable of evaluating the severity of the breach.
If charged with making this determination, the response team can determine what data was specifically compromised and provide sufficient information to prioritize subsequent activities. Additionally, an analysis may include information helpful for evaluating whether legal requirements for notice are triggered. For example, if personally identifiable information of consumers, such as names, social security numbers, or addresses were compromised, it might trigger notification requirements as detailed below.
Evaluating the severity of the breach is essential because subsequent activities may be dictated and prioritized based on this information.
Engaging Government Authorities
During the course of the response, engagement of government authorities may be necessary. For example, a company may wish to contact law enforcement to investigate possible criminal activity in the event of a cyber-attack or employee theft of trade secrets or proprietary data.
If government authorities are engaged, it is important that this be performed at an appropriate time and in a manner consistent with the requirements of the law and the government authority’s procedures. For example, law enforcement agencies may not provide forensic analysis if extended time has elapsed between the occurrence of the breach and the engagement of law enforcement; or a law enforcement agency may not get involved if a forensic analysis has already been completed by another party.
Additionally, an organization may wish to consider the implications to public disclosure of information about the breach when engaging law enforcement. This is particularly important if an organization can expect litigation stemming from the data breach. Timely consult of legal counsel can help a company fully understand the implications of engaging government authorities.
Being generally familiar with a government authority’s on-site operations and methods can help ensure that the presence of law enforcement for example, does not derail or conflict with other breach response activities. Law enforcement agencies may seek to drive activities when engaged on-site. In such situations, organizations should be prepared to handle directives given by law enforcement.