Clearly, the Internet has transformed the world. Not only can we now communicate with one another through our computer or mobile phone, but our televisions, portable health devices, and even our refrigerators are connected to the Internet. As technology becomes more and more sophisticated, so too do hackers’ efforts to steal and misuse the personal information of millions of individuals, not to mention company trade secrets, executive-level communications and intellectual property. In a study done a few months ago, the Identity Theft Resource Center stated that the United States was averaging between two and three data intrusions per day, and that is only counting the reported ones.
The statistics reveal that less than 20 percent are reported in the first place. With the number of data intrusions only set to increase over the next decade, it is not a question of “if” your company is going to get hacked but “when.” This article will offer some practical tips on developing and implementing an incident response plan that will effectively deal with a data intrusion and minimize potential financial and reputational fallout.
Perhaps the most important thing to include in an incident response plan (IRP) is a clear delineation of who is doing what. When an intrusion is eventually discovered, a lot of things need to get done, and the last thing you want is to spend days, weeks or even hours debating who is responsible for handing these various areas. A dedicated Internal Response Team (IRT) is essential to making an IRP work.
At the core of the IRT is the Executive Committee, which should be staffed by one person from IT information security, one person with a compliance/risk/legal background, and one person with institutional executive authority (to serve as the liaison with the company’s leadership team and clear the way and arrange financing for the various remediation tasks required). The Executive Committee drives and directs the initial response and investigation by the Company and receives reports several times a day until the problem is fixed and the extent of the damage is understood. Depending on the nature of the attack/exposure, the IRT may include representatives of human resources, sales/marketing or facilities management if any of these functions is directly affected by or directly targeted by the data loss. While authority for big decisions concerning the intrusion must ultimately lie with company leadership, the Executive Committee will handle the day to day minutiae of the incident. The IRP should also identify which member of the Executive Committee is responsible for each step.
The IRP should also identify any outside entities that will be retained or contacted once the intrusion is discovered. These would include (1) outside legal counsel to deal with the myriad of divergent intrusion and breach reporting requirements found in federal, state and international data breach laws (and to cloak communications surrounding the intrusion and breach in the attorney-client privilege); (2) an independent IT security firm to impartially investigate the causes of the intrusion and breach and to help the company come up with technical measures for minimizing the chance of future intrusions and breaches; and (3) a PR firm that can help the company craft a message that provides relevant information while minimizing reputational loss. Amidst the potential chaos of a data intrusion and breach, you do not want to be flipping through the digital equivalent of the Yellow Pages to find outside assistance.
Regular reporting, in writing, is also essential—once per day or once every other day while investigation and remediation of the intrusion and breach are taking place and at least once a week while other aspects of the intrusion and breach (like notification) are being resolved. Even if there does not appear to be anything substantive to report, creating a paper trail to demonstrate how diligently the company responded to the incident can go a long way in any future legal or reputational battles.
Finally, and most importantly, test the IRP before you actually have to implement it. It does absolutely no good to waive your well-crafted IRP in front of everyone involved in the process if they have never seen it before, did not know they were part of the IRT (or worse, the Executive Committee) and do not understand precisely what they need to do. Providing training to participants in incident response and conducting table-top exercises (or even a live simulation of a data intrusion) with all key players involved will not only make everyone feel more comfortable and confident in their roles, it will also identify any weaknesses in the plan in time for them to be addressed before the real thing occurs.