No matter how carefully, thoughtfully and diligently a company works to prevent it, data breaches happen. Company management, IT teams and outside consultants can do everything right and still end up dealing with a breach. That means that knowing how to best respond when (not if) a breach happens should be part of every company’s data protection strategy.
We recommend that every company assemble a security breach team, consisting of individuals inside and outside of the organization who possess different skill sets. This may include technology officers, as well as staff from IT, human resources, communications, legal departments, outside counsel, and outside vendors. The composition of the team will depend on the type and size of the organization, but each member should be in a position and have skills that enable the organization to quickly and properly respond to an incident. The team must also be equipped, authorized and empowered to evaluate and immediately react to an incident once it has occurred.
Each individual on a security response team should have a clear understanding of their role and responsibilities before, during and after an incident. Having a detailed plan in place will increase the likelihood that the damage resulting from a breach can be contained. Including a list of key contacts and contact information will ensure that the plan is put into action without delay. That plan must be maintained over time, and inside or outside counsel should be consulted on the often-changing landscape of breach response requirements.
Assembling a breach response team and creating a plan are only the first steps. The plan must be written, accessible, and practiced to ensure an effective response under pressure. By failing to keep a hard copy of a breach response plan many businesses are surprised to find it inaccessible because the breach has impacted the company's computer system. Tabletop breach exercises are another necessary but often-forgotten step to ensuring your team is not carrying out a breach response together for the first time.
When responding to a data breach, the team should take steps to both stop and repair the breach, as well as investigate how and why it occurred. The incident should be fully documented during this process, and steps should be taken to ensure the confidentiality of information. Depending on the nature of the breach, law enforcement may be able to help in the investigation.
If an incident is impacting a business’ operations, the impacted systems should be isolated from other network systems in order to mitigate the damage. If a breach is not causing ongoing harm, the best course of action may be to monitor the situation closely while the root cause and extent of damage from the breach can be investigated. Throughout this process, members of the security response team should have a clear understanding of their roles and responsibilities, and remain in close contact and communication with others within the organization.
Concurrently with its breach investigation, a company and its security response team must determine its breach notification requirements. Every state has data breach notification requirements that depend on the individuals affected and the type of information subject to the breach, but states' requirements vary drastically. Some states may require reporting the breach to an agency or the credit bureaus. Some states also require that individuals affected by a breach receive certain information or identity monitoring services.
In general, an incident should be reported to law enforcement if it appears to be malicious and involve criminal activity. In some instances, depending on the type of company and industry involved, reporting is mandatory. Breaches of health care information, for example, must be reported by HIPAA-covered entities. A privacy attorney should be a part of your team. This attorney can advise regarding which notifications are required and recommended.
Moreover, data security breaches are increasingly leading to litigation. More and more class action lawsuits are being filed against companies when sensitive consumer or patient information is exposed. Therefore, in the event of a breach, security response teams must carefully document their investigations in order to ensure the quality and admissibility of evidence in court. Part of every data breach incident plan should be guidelines on how to preserve and protect evidence.
Data security is an increasingly important issue for companies of all types and sizes. Creating a detailed plan that addresses how an incident should be remediated and investigated from start to finish will go a long way to mitigate damage from a breach. Creating a security response team that is knowledgeable, well-trained and well-equipped to deal with an incident is the first and most important step that any company can take to prepare.
Taylor helps businesses and business owners solve and prevent problems as a member of Foster Swift's Business and Corporate practice group. He handles business formation and transactions, tax controversies, employee benefits, and technology related issues.
John brings a unique perspective to Foster Swift with his practical experience as an entrepreneur, business owner, and manager. He focuses in the areas of business, tax, intellectual property and entertainment.