All companies have employee, proprietary, financial and other sensitive data that require protection. Human error is still one of the most common causes of a data breach and that is very difficult, if not impossible, to completely eradicate. Moreover, with the recent release of the Yates Memorandum from the Department of Justice (“DOJ”), the DOJ is emphasizing best practices when dealing with individuals in connection with corporate wrongdoing. To quote my colleague, Jackie Bennett, “…now is the time to capitalize on the public’s concern about individual culpability and to create or update corporate compliance programs, including incident response plans and related training tools and materials to adjust to the realities of the Yates Memo…”
One of the most important steps in minimizing the risks from a data breach is early detection. Why? Because it allows the company to not only limit the access to sensitive data, mitigate any resulting damage both to data owners and itself, but it also allows the company to control the narrative, rather than reacting to a narrative that is created for it. Early detection can occur either internally or externally through a third party vendor, but early detection is critical because it gives the company sole and complete control over the investigation and corresponding narrative rather than being on the defensive with few or no verified facts when facing questions from third parties such as customers, creditors, regulators, or the media.
Most incidents require forensic investigation and many attract media and regulatory attention as well. It is, therefore, critical that the company have a process in place for early and independent detection, analysis, investigation, containment, eradication and recovery. If a company is informed of a data incident rather than independently detecting it, recent history shows that reactionary comments from ill-equipped corporate officials and PR staffs have led to unintended and costly consequences.