It is important for organizations to be prepared to respond to a data breach. The below is an excerpt from an article writte by Ice Miller's Data Security and Privacy Practice which provides some practical suggestions for preparing an organization to respond to a data breach.
Assembling the Response Team
A critical component of a company’s breach response is the breach response team. A breach response team is a core team of responders comprising legal counsel, business personnel, compliance officers, IT personnel, public relations, and executive level decision makers. Additional personnel like vendors and external forensic experts may also be engaged.
Upon intelligence indicative of a data breach, the response team can begin analysis. It is not necessary to engage the full response team immediately. Initial personnel can perform preliminary analysis to identify the nature of the event, and then escalate accordingly.
In a data breach, a priority of the breach response team is to identify the scope of the breach and the severity of the breach. The response team may seek to isolate and mitigate the impact of the breach.Depending on the circumstances, it may be in a company’s best interest to engage legal counsel at the onset of a data breach. Legal counsel can play a pivotal role in the data breach response team. For example, attorneys can determine legal obligations regarding complex notification requirements which may stem from state, federal, and international laws, regulatory decisions, and contracts entered into by the company. Counsel can also direct the response team to satisfy other legal and regulatory obligations. Additionally, involvement of legal counsel may implicate attorney-client privilege and work product protections that otherwise would not exist in the data breach response process.
Determining if a Data Breach Occurred
It is important to properly identify a data breach versus a general data security incident. Generally, a data security incident includes the attempted unauthorized access, use, disclosure, modification, or destruction of personally identifiable information. The term “data breach,” however, is generally used to describe the actual unauthorized disclosure of personally identifiable information. However, legal definitions of a data breach vary based on the applicable law and circumstances.
Depending on the applicable law, a classification of an event as a data breach may trigger legal obligations by an organization, such as notification to consumers, regulators, or business partners. On the other hand, a general security incident may arise that actually or potentially jeopardizes data, but may not give rise to the same legal obligations imposed by the occurrence of a data breach.