Thought Leadership and Industry Trends
What to Do After a Data Breach? Experts Weigh in on Developing a Response Plan
Data breaches reported in the media seem to be almost a daily occurrence leaving companies with both immediate and long-term damage that must be addressed. At Putting Insights into Practice New York, a panel of law firm, corporate, and technology experts discussed how companies can better plan for and implement a response plan. They offered insights into some of the high-level response activities businesses must undertake in the wake of a cybersecurity incident. Does your company’s plan consider these key points?
An Incident Response plan must include Leadership, IT, Security, Legal, PR, and Risk Management. A data breach raises technology, legal, financial and reputational problems. The appropriate team members must be involved at every stage in order to facilitate a coordinated response.
After a breach is discovered, notification is essential. Who should be notified internally? In addition to the key team leaders, other personnel may need to be informed based on the facts of the case. For example, if an employee violated company policy, HR should be notified.
External notification may also be required. Depending on the nature of the incident, notification may be legally required under statutes/regulations (e.g., those protecting Personally Identifiable Information or Personal Health Information) or by contract (e.g., government contracts). In addition, banks, insurance carriers, law enforcement and the media may also need to be informed.
The Legal Department should provide input from the beginning but assess their level of involvement in the investigation. As noted above, there may be potential notification requirements that legal must address. In addition, legal actions including takedown and cease and desist orders may be necessary. Investigations into the incident also should include guidance from the legal department. However, note that using outside counsel may be beneficial so that any investigation and findings are protected under attorney-client privilege.
Conduct a post-incident review. After a thorough investigation, a review is necessary to identify lessons learned. The source of the breach may be identified and fixed, but companies must consider how to prevent a future incident. This may require implementing financial and IT controls, changes in company policies and other actions. In addition, businesses must assess how they responded to the incident. How quickly did they find the problem and notify the appropriate parties? Where can improvements be made?
Although it is impossible to plan for every situation, it is important to be proactive and implement best practices. If you discover a breach, a quick and comprehensive response can help mitigate some of the damage. Working with technology experts and deploying the right tools can significantly improve the time, cost and accuracy of responding to a breach.
Thanks to Moderator Steve Wang, Director Managed Review, CDS and panelists Greg Bautista, Partner (Cybersecurity), Wilson Elser; Catherine Stamm, Associate Director, Cyber Investigations, Kivu Consulting and Sean Renshaw, Director of Security, Privacy, and Risk Services, RSM US LLP.
About the Author