The Sedona Conference®, a nonprofit research and educational think tank dedicated to the advanced study of law, particularly in information governance, has released its Incident Response Guide , open for public comment through June 19, 2018. Drafted by Working Group on Data Security and Privacy Liability (WG11), the guide is meant to serve as a practical resource for practitioners dealing with the legal, technical, and policy issues related to data-related incidents – from distributed denial-of-service to ransomware attacks.
To assist organizations in developing their Incident Response Plan (IRP), the guide is composed in the following sections:
The guide’s appendices offer a model IRP as well as model notification letters to consumers and various State Attorneys General. While guidance such as the NIST Cybersecurity Framework serves as a roadmap for organizations to implement cyber risk management practices, the Sedona guide guide provides specific operational considerations and even addresses certain legal nuances when responding to an incident – for example, providing criteria to weigh escalation triggers and assess the impact and scope of a data breach.
In this blog post, we provide a summary of each section in the guide.
1. Pre-Incident Planning
The first step for an organization in pre-incident planning is to conduct an information asset inventory – i.e. identify the types and locations of the data it collects and processes. The guide states “[b]ecause legal obligations differ depending on data type (e.g., trade secrets, confidential information, personally identifiable information (PII), protected health information (PHI), and payment card information (PCI), data maps that identify data type as well as data location facilitate analysis of legal obligations.”
Once a data map is complete, an organization should identify the legal, regulatory, and contractual obligations that apply to the different tranches of data, as well as implement processes for (1) assigning responsibility for data security by function and position, (2) assessing and tracking compliance, and (3) conducting periodic audits.
The guide also addresses supply chain security as it relates to third party access to an organization’s data, systems, and networks. These third parties can include suppliers, contractors, consultants, auditors, law firms, and financial institutions. The guide emphasizes that organizations should conduct due diligence on the security practices of third parties that will have access to the organization’s data and provides a list of sample questions and other technical and legal considerations that organizations may want to include as part of a due diligence checklist and ongoing risk assessment.
2. The Incident Response Plan
The IRP “provides the standard procedures and protocols for responding to and recovering from an incident.” The IRP should:
- Determine what criteria triggers an IRP as opposed to only an IT-related incident (e.g., malware infection or detection of routine port scans by external parties)
- Identify the responsibilities of each Incident Response Team (“IRT”) when the incident is first discovered
- Describe how the IRT should be modified on an ongoing basis
- Define the criteria for escalations
- Include protocols on the documentation of critical events.
To the extent possible, the IRT should include internal and external representatives from organizational functions that are likely to be involved in responding to an incident, including, but not limited to, the organization’s IT, cybersecurity, legal, compliance, privacy, HR, risk management, communications/public relations, physical security, law enforcement liaison, and supporting external groups (e.g., outside counsel and forensic experts).
The guide highlights the importance of counsel’s role in responding to an incident, stating that “[c]ounsel is likely to be most familiar with the legal consequences attendant to an incident, such as reporting obligations” and that “[c]ounsel’s involvement in communications regarding the incident may also affect the ability to protect those communications by the attorney-client privilege and/or the work product doctrine.” The guide emphasizes, however, that the mere presence of counsel in incident-related communications does not necessarily cloak those communications in privilege.
As this area of law continues to evolve with data breach litigation, WG11 will offer a more “thorough treatment of the issue” in its forthcoming guidance, Application of Attorney-Client Privilege and Work Produce Protection to Documents and Communications Generated in the Data Security Context.
3. Executing the Incident Response Plan
Execution of the IRP is triggered when a “threat actor” (defined by the guide as human or human-directed actors such as insiders, script kiddies, social-motivated hacktivists, criminals, competitors, or state-sponsored actors) initiates an action that disrupts the organizations cyber infrastructure by compromising the (1) confidentiality or privacy of information in the organization’s care; (2) integrity of the organization’s data or computing/communications systems, or (3) availability of the organization’s data or computing/communications systems by authorized users. Awareness of such a disruption typically originates from the organization’s IT or security personnel, a user within the organization, or a third party such as law enforcement, regulator, client, customer, or member of the press.
The organization’s IT group begins by performing an initial scoping investigation to determine its cause, time frame, and systems or information at risk. Depending on the severity and cause of the disruption, the IT group may simply document and repair the disruption or escalate the disruption to the IRT. If escalated, the IRP provides the IRT with a decision guide that will “direct the IRT to take preliminarily responsive actions based on the facts available, as well as provide a framework for identifying what additional facts need to be obtained in order to proceed.”
The guide further encourages the ongoing investigation to continue under the instruction of counsel to ensure compliance with information governance policies (e.g., legal hold requirements) and reporting requirements (e.g., regulatory, contractual, and insurer notices) and involvement of the C-Suite and Board, when necessary.
4. Key Collateral Issues
The guide addresses several key issues collateral to incident responses, including when and how to engage law enforcement, notice to insurance carriers, alternative communication channels, terminating unauthorized access, engaging outside vendors, credit monitoring and identity theft considerations, and PCI-related considerations.
Organizations are encouraged to assess the nature and scope of data compromised in an incident – specifically, the types of data (e.g., customers’ PII due to insider-employee theft) – because it will inform their legal obligations to notify government agencies and other entities. Additionally, the Guide offers recommendations on engaging with outside vendors as part of an IRP process.
5. Basic Notification Requirements
The guide provides an overview of the analysis that organizations must make when determining whether a data breach has occurred and whether notice is required, which depends on applicable federal regulations and state data breach notification laws.
The residency of impacted individuals determines which state breach notification laws apply and whether a data breach has occurred under state law. If a data breach has occurred, organizations must then determine (1) whether notification is required, (2) to whom should notification be made, (3) when should notification be made, and (4) what information should be included in the notification. This analysis is performed on a case-by-case basis, and is entirely dependent on the laws and regulations implicated.
The guide notes that currently 24 states require notification of a data breach to a State Attorney General (or similar law enforcement or consumer protection group), for which timing and content of such notice may vary. The appendices further provide examples of draft notification letters for Connecticut, Maryland, and Massachusetts.
6. After-Action Reviews
Recognizing the recurring threat of data breach-related incidents, the guide introduces after-action reviews as a critical opportunity for an organization to “identify which areas of the IRP worked or failed, to update the IRP and internal practices and policies with a view towards preventing the same type of incident from occurring again, and to address blind spots that the IRP did not account for.”
The guide also provides several helpful questions that an organization can use to evaluate the effectiveness of its IRP and communications strategy, instructing that any “reports that call for change or gap closure should include details that support the proposed change, the projected cost to implement it, a timeline, and a follow-up plan. Ultimately, re-examining an organization’s IRP and related cyber policies and procedures may require the need for stakeholder training, IRT tabletop exercises, and further C-Suite and Board engagement.