Public announcements of major data breaches have become an almost daily occurrence.  Last year was notorious for data breaches and 2015 has begun with major data breaches continuing to make headlines.  Without a doubt, a data breach can be devastating to a business.  Along with financial harm, a business can suffer reputational, legal and other consequences resulting from a data breach.  As devastating as a data breach can be, it is often the response to a breach that can cause the most damage to a company.  A timely and well-handled response to a data breach, however, can be hugely effective in mitigating the extent of the damages and can even help a business’s brand.

Given this reality, it is important for organizations to be prepared to respond to a data breach.  This article provides some practical suggestions for preparing an organization to respond to a data breach.

Developing the Breach Response Plan

A data breach response plan is an operational playbook that a company can use to handle events related to security and data breaches.  One of the most frequently cited resources for developing a data breach response plan is the National Institute of Standards and Technology Computer Security Incident Handling Guide (“NIST Guide”).[1]  The NIST Guide provides a framework for use in the handling of a computer security incident including data breaches.  Generally, the NIST Guide recommends that an incident response include the following elements:

  • Mission
  • Strategies and goals
  • Senior management approval
  • Organizational approach to incident response
  • How the incident response team will communicate with the rest of the organization and with other organizations
  • Metrics for measuring the incident response capability and its effectiveness
  • Roadmap for maturing the incident response capability
  • How the program fits into the overall organization

One key suggestion is in regards to the establishment of communication lines.  It is important that the incident response team communicate effectively internally with other parties such as customers, the media, software and support vendors, other incident response teams, internet service providers, law enforcement agencies, and incident reporters.  Some specific ways to effectively provide these communication lines is by making the contact information of the team members available, having instructions for verifying the team member identities, and having secure communication lines—for example, by using encryption software.

Ideally, the response plan will delineate which events are considered incidents or breaches, establish the organizational structure for incident response, and define roles and responsibilities of the response team.  It is good practice to think of the response plan as an ongoing initiative that is tested and kept up to date to ensure its reliability and effectiveness.

Assembling the Response Team

A critical component of a company’s breach response is the breach response team.  A breach response team is a core team of responders comprising legal counsel, business personnel, compliance officers, IT personnel, public relations, and executive level decision makers.  Additional personnel like vendors and external forensic experts may also be engaged.

Upon intelligence indicative of a data breach, the response team can begin analysis.  It is not necessary to engage the full response team immediately.  Initial personnel can perform preliminary analysis to identify the nature of the event, and then escalate accordingly.

In a data breach, a priority of the breach response team is to identify the scope of the breach and the severity of the breach.  The response team may seek to isolate and mitigate the impact of the breach.

Depending on the circumstances, it may be in a company’s best interest to engage legal counsel at the onset of a data breach.  Legal counsel can play a pivotal role in the data breach response team.  For example, attorneys can determine legal obligations regarding complex notification requirements which may stem from state, federal, and international laws, regulatory decisions, and contracts entered into by the company.  Counsel can also direct the response team to satisfy other legal and regulatory obligations.  Additionally, involvement of legal counsel may implicate attorney-client privilege and work product protections that otherwise would not exist in the data breach response process.

Determining if a Data Breach Occurred

It is important to properly identify a data breach versus a general data security incident.  Generally, a data security incident includes the attempted unauthorized access, use, disclosure, modification, or destruction of personally identifiable information.  The term “data breach,” however, is generally used to describe the actual unauthorized disclosure of personally identifiable information.  However, legal definitions of a data breach vary based on the applicable law and circumstances. 

Depending on the applicable law, a classification of an event as a data breach may trigger legal obligations by an organization, such as notification to consumers, regulators, or business partners.  On the other hand, a general security incident may arise that actually or potentially jeopardizes data, but may not give rise to the same legal obligations imposed by the occurrence of a data breach.

Evaluating the Severity of a Data Breach

In the event of a data breach, a response team may be charged with identifying the severity of the breach.  Detection and analysis of a breach are often difficult tasks.  Legitimate symptoms of a breach are usually mixed with false positives, unreliable indicators, or hidden amongst other acceptable activity.  For example, a company may be experiencing a cyber-attack which is only meant to mask an earlier theft of data.  Therefore, the breach response team must be fully capable of evaluating the severity of the breach.

If charged with making this determination, the response team can determine what data was specifically compromised and provide sufficient information to prioritize subsequent activities.  Additionally, an analysis may include information helpful for evaluating whether legal requirements for notice are triggered.  For example, if personally identifiable information of consumers, such as names, social security numbers, or addresses were compromised, it might trigger notification requirements as detailed below. 

Evaluating the severity of the breach is essential because subsequent activities may be dictated and prioritized based on this information. 

Engaging Government Authorities

During the course of the response, engagement of government authorities may be necessary.  For example, a company may wish to contact law enforcement to investigate possible criminal activity in the event of a cyber-attack or employee theft of trade secrets or proprietary data.

If government authorities are engaged, it is important that this be performed at an appropriate time and in a manner consistent with the requirements of the law and the government authority’s procedures.  For example, law enforcement agencies may not provide forensic analysis if extended time has elapsed between the occurrence of the breach and the engagement of law enforcement; or a law enforcement agency may not get involved if a forensic analysis has already been completed by another party. 

Additionally, an organization may wish to consider the implications to public disclosure of information about the breach when engaging law enforcement.  This is particularly important if an organization can expect litigation stemming from the data breach.  Timely consult of legal counsel can help a company fully understand the implications of engaging government authorities.

Being generally familiar with a government authority’s on-site operations and methods can help ensure that the presence of law enforcement for example, does not derail or conflict with other breach response activities.  Law enforcement agencies may seek to drive activities when engaged on-site.  In such situations, organizations should be prepared to handle directives given by law enforcement.

Communicating the Data Breach Externally

External communication and notification after a breach is often essential to the public’s perception of the data breach.  Whether laws of the jurisdiction mandate notice, or whether the company is taking the initiative to disclose the breach and its impact, communication that is organized and carefully disseminated can minimize confusion, garner goodwill, mitigate damages, and demonstrate transparency and cooperation.

A good data breach response plan can identify such communications and notification goals.  For example, communication to customers whose personal information was compromised is particularly important and, at times, legally mandated.  Identifying applicable state and federal laws requiring compliance is the first step.  For businesses operating in different legal jurisdictions, this can become a complicated task.  For example, some states mandate time limits as to when a customer is notified; or, under what circumstances notification must be made individually or en masse; or, what exceptions there are to notifications.

Within the breach response plan, the company may wish to identify the responsible party for creating and approving any outgoing communication.  Effective communication may demonstrate compliance with applicable legal requirements or clearly articulate sufficient information so that a customer can make an informed decision or take any corrective actions.  For example, a typical customer notification may describe the incident, the information that was compromised, the consequences of the breach, and protective measures that consumers can take. 

Post-Incident Review

The best time to review the incident response, and update the response plan, may be  immediately after an organization has been through a data breach.  Technologies, personnel, policies, laws, and procedures change.  Reviewing, evaluating, and updating a breach response plan can ensure that it is still relevant.  The organization  can also evaluate its data security measures following a breach to mitigate any other potential threats. 

While it is never a good time to be a target of a data breach, planning and preparation can play a vital role in helping your business respond and recover from a data breach.