A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part discusses the role of a crisis manager in coordinating the investigation of an incident and provides practical suggestions for what a crisis manager should consider throughout the investigative process.
Incident response teams are usually comprised of personnel from a variety of backgrounds that represent a variety of internal departments. Because the members of a response team rarely have the same reporting structure, confusion about who has authority to convene an investigation, assign projects, or retain needed resources can lead to inefficiencies.
A pre-designated crisis manager who reports directly to, and has authority conferred from, senior management often facilitates an efficient response. The crisis manager should work closely with legal counsel to ensure that attorney-client privilege is maintained. You should consider five key items if you are designated as the crisis manager for your organization:
- Track Investigation: Depending upon the complexity of a data security incident, the incident response team may initiate several investigative tracks simultaneously. This is particularly true in the early stages of a security incident when an organization may suspect that data has been lost, but might not have identified the who, what, where, and why connected with the loss. When there are multiple lines of investigation that may be taxing various resources within, and outside of, the organization, it is sometimes difficult for the members of the incident response team to stay on top of the status of investigative tracks for which they are not directly involved. In such a situation, it can be extremely beneficial to have the crisis manager track each of the investigative tracks.
- Assign Responsibility: Security investigations often rely upon the involvement of various personnel within an organization, but don’t squarely fall within the responsibilities of any one employee. As different team members work to complete pieces of an investigation, the overall progress of the track can stall. In narrow investigations, the crisis manager may take responsibility for the investigative track. In broader investigations that involve multiple lines of inquiry, this may prove to be impossible. In such situations, it is helpful for the crisis manager to assign responsibility to one person to oversee a piece of an investigation, to take ownership of clearing any obstacles that develop, and to report the status of the investigative track back to the crisis manager or to the entirety of the incident response team.
- Evaluate The Effectiveness of the Incident Response Team: Sometimes the team called for in an incident response plan is the right one to investigate a particular incident. Other times, what made sense in a vacuum, or worked well on paper, may not be an effective combination in practice. Throughout an investigation, a crisis manager should evaluate the effectiveness of the incident response team. If the crisis manager finds that the team is not functioning efficiently or effectively, they should adjust the team’s membership as needed.
- Report to Stakeholders: There are often many stakeholders who are interested in the outcome of a security investigation (e.g., senior management, insurers, auditors, third party service providers, law enforcement, etc.). The crisis manager should attempt to identify those stakeholders early on and develop a strategy for providing them with an appropriate level of information on a periodic basis. Note that whenever a crisis manager is considering sharing information outside of the organization she should consult with her attorney prior to doing so to understand whether the information is privileged, what impact sharing it with third parties might have, and what steps (if any) might be taken to protect the privilege.
- Request Sufficient Resources: A crisis manager should consider whether the organization has sufficient internal and external resources to adequately investigate a security incident. Resources (e.g., personnel and technology) can almost always be supplemented; however, it is difficult to do so instantaneously. As a result, the sooner that a deficit is identified and a plan put into place to supplement resources, the better.
TIP: Often the main role of the crisis manager is to make sure that an investigation is coordinated and each of the members of the incident response team has what they need in order to proceed with their assigned tasks.