WHAT YOU NEED TO KNOW IN A MINUTE OR LESS
Reported incidents of data breaches have reached record levels over the last two years1)Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.. Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well-thought-out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but can also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.
In a minute or less, here are the essential components of a working incident response plan.
Key Roles and Responsibilities
An incident response plan must identify those individuals responsible for invoking the plan and leading the response to any data security incident. It should identify one person who is ultimately accountable for the response, including clearly defined roles and responsibilities for all other response team members, including a member of top management.
Timing is critical in the wake of a data security incident. The use of tabletop exercises can detail team members’ respective roles, provide the necessary skills to navigate an incident, and facilitate teamwork with other appropriate personnel to manage the incident.
This section of the plan should be supplemented with key external resources, such as a detailed contact list for legal counsel, forensic investigators, and local law enforcement, such as FBI cybersecurity agents. Considering the often-constricted timeframes for breach notification requirements, best practices dictate having these external resources identified and familiar with company systems, saving valuable time during a crisis.
The plan should also contain clear definitions on how to identify whether the company’s systems have been breached or compromised. Here, it is important to document the extent of the breach, its effects, and the potential source of the compromise.
Once the breach is clearly identified, the plan should outline the steps that should be taken to contain the incident (e.g., systems to be taken offline, information to be deleted safely, short-term and long-term strategy to prevent further unauthorized access or other nefarious conduct).
Internal Information Technology teams, as identified in the roles and responsibilities section of the plan, are often well positioned to assess the nature and potential scope of the incident, as well as how to mitigate damage. This includes assessing which systems and data might be involved and the availability of backup systems (intervention should be minimal, so as not to interfere with an impending independent investigation). After containment, the plan should address doing whatever is required to eradicate the cause, ensuring all malicious content is wiped clean from company systems without compromising data. Then, and only then, can the plan address getting affected systems back online.
Finally, the plan should anticipate the need to communicate about the incident, both internally and externally. Communications to the C-suite and board are almost always required, and depending upon the incident, select or all employees may need to be informed. For example, a ransomware event impacting all email systems likely requires a communication to all employees.
Legal counsel can help determine the scope and content of any external communications to insurers, third-party vendors or business partners, and, depending on the incident, impacted data subjects and regulatory agencies as warranted or required by law. This section of the plan should therefore state when notifications may be appropriate, including the process for notifying key stakeholders and impacted parties in a timely fashion. Lastly, the response team should discuss a “retrospective” of the documented incident to evaluate its cause and future preventative action. The incident response plan should be adjusted based on the lessons learned.