Articles and notices about data breaches have become commonplace, but the actions required by companies in the event of such an incident are considerable and the potential liability substantial. Cyber incident response planning should not be taken lightly and actions are needed in the event of a potential incident. The following are some suggestions for planning for your company and responding in the event of an incident. Contrary to some views, the use of cloud vendors and other third parties does not negate the need for such a plan. The US Federal Trade Commission has provided a good deal of specific guidance on this topic which must be taken into account when formulating a plan.
To be meaningful, the plan must be in writing and communicated to all key employees. In developing your incident response plan, each company needs to evaluate its own internal processes and the information it maintains. The specific parts of the plan may include the following:
- Who will be the point person? This person is responsible for execution of the plan and communicating and overseeing with members of the response team and third parties. In larger organizations, this will often be the responsibility of someone in the compliance or legal department.
- Who will be on the team? These will be resources that have critical skills and knowledge that will be needed. Representatives from executive management, IT, HR, legal, public relations and risk management. A back up person in each category should also be identified. Contact information must be shared and updated.
- Understand what data the organization has, where it is kept, how is it secured and where backups are maintained.
- Who is responsible for preventing an incident from happening? Who is responsible for detecting one when it does? This may be the same person, but may include outsourced functions.
- How will the organization work to contain the breach and investigate the incident, as well as providing legally required notices?
- Does your organization have cyber insurance coverage? Should you? Who will initiate claims?
Once the incident response plan is developed, it is important to determine how employees within the organization should be trained to be sensitive about the privacy of information, recognize a potential problem and the response needed.
If your organization learns about a cyber incident, immediate implementation of the response plan and developing an action plan are important and some aspects are legally required. As you are assembling the team, you should begin to assess the threat level and the nature of the response. There are some suggested points to consider:
- Determine the kind of data that has been compromised and the manner in which the incident occurred. Is the information proprietary or confidential? Does it contain personally identifiable information? Is it subject to regulatory compliance (such as health related data subject to HIPAA)?
- Determine if the incident is potentially ongoing (for example through a compromise of your information systems) or a one-time incident (such as through the loss or theft of devices storing information).
- Contact counsel to assist in the legal aspects, determine which notices are required and who provides them, and to coordinate the response. The retention of some professionals should be through your outside counsel in order to potentially preserve the confidentiality of any information.
- As part of the investigation of the incident, determine if a security or forensic firm should be brought in to assist. (Hint: the answer is almost always yes.) Often the lawyer should hire the forensics firm for confidentiality purposes.
- Complete remediation, if necessary, of your information systems and determine whether notification obligations exist. Depending on the scope of the breach, you may also need to retain the services of a public relations firm to tailor the disclosure and the message.
- Evaluate what weaknesses existed in your systems, processes and policies and implement fixes and updates to your systems. Review and update your incident response plan as well.