For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator.

  1. Fail to plan = plan to fail.
  2. Big problems first, small problems later (don’t let the perfect be the enemy of the good).
  3. The criticality of the tone at the top cannot be overstated.
  4. You cannot prevent idiocy, but you can train (and retrain, and retrain).
  5. Make good email practices your fight song (in both times of calm, and times of crisis).
  6. Say what you mean and mean what you say (avoid good policies with poor follow-through; don’t set standards that you can’t meet).
  7. Avoid inconsistencies wherever possible.
  8. Know what your peers are doing (and if you aren’t doing the same thing, document why not).
  9. If you have a close call, document your decision and carefully consider whether you want privilege to apply or not (and why not).
  10. Think about your “story” in slow motion being played on a movie screen (or in excruciating detail on the front page of the Wall Street Journal).