A large portion of the data breaches that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part is designed to help human resource managers draft, review, and understand an incident response plan.
An incident response plan explains how an organization handles security events, security incidents, and security breaches. Among other things, the plan helps employees from different departments understand the role that they are expected to play when investigating a security incident and identifies other people within the organization with whom they should be coordinating. The plan can also help educate employees concerning what they should do (and should not do) when faced with a security incident and can provide them with a reference guide for resources that may help them effectively respond to a breach.
Incident response plans take a variety of forms, and there is no mandated structure. The following topical recommendations, however, may help you draft an incident response plan or evaluate the thoroughness of one that already exists:
- Definition of Security Event, Incident, and Breach. Consider explaining the difference between an event, incident, and breach so that those in the organization involved with incident response understand the distinction.
- Security Event Escalation. By their very nature, security events are relatively common occurrences. Only a small percentage of events will become incidents, and an even smaller percentage of events will ultimately become breaches. Nonetheless, it is important to explain the process under which an event should be escalated to an incident or a breach and the impact that such an escalation has on who within the organization needs to become involved in an investigation and how the investigation should be handled.
- Responsibilities For Conducting an Incident Investigation. The plan should explain who within the organization is responsible for investigating security incidents, to whom information should be reported, and who has the authority (and responsibility) to seek additional resources when needed. To the extent that one of the purposes for conducting an investigation is to provide in-house or outside counsel with information needed to make legal recommendations, the plan should consider whether an organization desires the investigation to be conducted under the auspice of the attorney-client privilege and attorney work product doctrine. If so, the plan should make clear that the investigation is operating at the direction of counsel and should provide instructions to employees who may be collecting information on how to help preserve privilege.
- Internal Contact Information. Many plans include a quick reference guide naming the people within an organization who can help in the investigation of a security incident and their emergency contact information (e.g., email address, home phone, and mobile phone).
- External Contact Information. Many plans include a quick reference guide naming the people outside of an organization who can help in the investigation of a security incident. That may include contacts with law enforcement (e.g., FBI and Secret Service), outside counsel, forensic investigators, call center support, identity theft services, public relations experts, etc. If the organization has a cyber-insurance policy, you may want to list the approved vendors in the plan and the insurer’s contact information to notify of a potential claim.
- Recordkeeping. Plans typically explain the types of documents and records that should be kept concerning the investigation in order to permit legal counsel to reconstruct, if necessary, when the organization knew certain pieces of information and when the organization took certain steps. Such reconstruction may be necessary in litigation or a regulatory investigation. The plan should direct recordkeeping to be done by a designated person and caution against too many participants recording information, particularly when that information is subject to change or may not be accurate.
- Post-Incident Reporting. Many plans discuss how the organization will take information learned during an incident and incorporate that back into the organization’s security program. This might include “lessons learned” from how an incident was handled or ways to prevent an incident from occurring again.
TIP: Many organizations overthink their incident response plan and create a long, complex document that is of little use when a breach occurs. The best incident response plans are short and focus on practical information that the incident response team can quickly find and use in the event of a breach.