Does your company have an incident response plan in place in case of a cyberattack or data breach? Companies that do not understand the gravity of these events should take heed of this statistic: 90 percent of businesses that lose data due to a security incident shut down within two years, according to The Ponemon Institute.

When you do suffer a data breach, they are costly. The Ponemon Institute estimates that the total cost of responding to a successful cyberattack today is more than $5 million.

Instituting an Incident Response Plan (IRP) is so important that the U.S. Department of Justice issued guidance in 2015 noting that it is critical for companies with personally sensitive data to develop an IRP.

The reality companies face today is that they will likely suffer some type of security incident – whether it is an inadvertent breach due to a careless employee or a full-fledged cyberattack by hackers. Companies that do not prepare for an incident with a plan outlining the steps they will take upon discovering a breach are doing themselves and their customers a disservice – and may find themselves embroiled in litigation, regulatory scrutiny, and their doors soon closed.

What is an Incident Response Plan?

An IRP is a detailed plan crafted by stakeholders within and outside the company, including the CEO, Chief Security Officer, IT Department, and legal counsel – both in-house and outside counsel. The plan contains various scenarios of security incidents that your company could suffer and the response your company will take for each scenario. The IRP details who to communicate with, when, and the steps to follow after a breach is discovered.

Your legal team is an integral part of the development and execution of the IRP because they understand what the law requires your company to do when a breach occurs and the legal ramifications that may be at stake, including fines and litigation. Your legal team also knows when it is necessary to contact law enforcement in regard to a breach.

What Is in the IRP?

The IRP is your company’s playbook in dealing with a data breach. You should organize a team of key stakeholders to create the IRP, practice it, and update it with any necessary changes to better address a potential incident.

The IRP should include:

  • All possible scenarios of a security incident. This could include an employee having an unencrypted laptop stolen from their car, a hacker finding a vulnerability in your website, or an employee unknowingly clicking on a phishing scam in an email. Your incident response plan should also include the active steps your company is taking to avoid the outlined scenarios.
  • Training. The IRP should clearly define what actions a specific person will take if an incident is discovered. Your key stakeholders should participate in a tabletop exercise, going through each step of your scenario. You should do this exercise for every scenario outlined in the IRP.
  • Communication expectations. What is the chain of command for communicating when an incident is discovered? Who are the necessary people to contact when an incident occurs? Limiting the number of people on internal communications will be important if your company is sued after an incident or breach. Include your legal counsel in the communication plan and when interviews are conducted as part of your internal investigation. Your counsel will be able to ensure that attorney-client privilege is in place within certain communications.
  • Identify your outside vendors, forensic, legal, public affairs/crisis communications before an incident occurs. Having vendors familiar with your company and personnel is essential for a timely response.

Does My Company Need an IRP?

Yes. Every company – no matter the size or industry – should create an IRP to handle a cybersecurity incident, which includes cyberattacks and data breaches. The 2018 Verizon Data Breach Incident Report found 58 percent of data breaches hit small businesses. The report also noted that top five industries suffering the most data breaches are:

  1. Health care
  2. Accommodation
  3. Public
  4. Retail
  5. Finance

Of the small businesses that suffer a cyberattack, 60 percent go out of business within six months of the attack, according to UPS Capital.

Businesses are now expected to have IRPs in place and may face legal liability for failing to do so. The FTC brought an enforcement action against Wyndham Worldwide Corporation after it suffered a series of data breaches. FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 259 (3d Cir. 2015). The FTC alleged that Wyndham’s cybersecurity practices were deficient for several reasons, including for not following its response plan after a breach. Wyndham argued that it did not have fair notice of the requirements of a “sufficient” cybersecurity practice, so it should not be liable. The court found that due to previous enforcement actions and industry guidance, there was “little trouble” dismissing the fair notice argument.

Feedback is Important

Ideally, your company will never have to use its IRP, but the unfortunate reality is that your company will eventually encounter a security incident of some kind. When it does, you will follow the practiced plan as outlined in the IRP. Then what? Gather your stakeholders to discuss what worked in reality and what fell flat. Were there gaps in communication? Did your anticipated fix for a problem turn out not to be the best solution? Did you properly inform affected parties that their data had been compromised? The IRP should be revised based on this feedback and experience so that, next time, your company will be better equipped to address the incident and better prepared to defend against a lawsuit.


Having an IRP in place will help your company prepare for an attack or data breach and respond quickly and appropriately. The time it takes for your company to discover the breach and stop it can be extremely costly for a business. By crafting an IRP, regularly practicing, and revising as necessary, your company will not waste valuable time trying to figure out your next steps or who to contact.