In the wake of significant retailer data breaches in 2013 and 2014, and additional significant breaches continuing in 2015, a trend is clearly developing — an expectation of proactive risk identification and mitigation from a legal, technical and business process perspective as the “gold standard” in terms of what organizations should be doing to protect sensitive customer, consumer or individual data, particularly with regard to the ever-expanding category of “personally identifiable information.” Massachusetts, Nevada and New Hampshire have passed laws specifically requiring private sector cybersecurity assessment and adherence to security standards by companies holding sensitive consumer data. It’s a matter of time before other states follow. Further, Congress is in broad agreement about the need for legislation on cybersecurity, and there has been a wide range of congressional proposals for statutory requirements for protection of various other kinds of sensitive data over the past few years.
Most recently, on April 30, 2015, the U.S. Department of Justice issued cybersecurity guidance that counsels every organization with personally sensitive data to develop a well-considered, proactive Incident Response Plan before an attack hits, retain experienced legal counsel and remain vigilant even after an incident appears to be under control. Regardless of what kind of risk assessment your organization may or may not have done to date, one thing is clear from the lessons of the past 10 years since “data breaches” first became a newsworthy topic – data breaches can happen to anyone. Headlines have trumpeted the causalities.
In the wake of one of the largest and most infamous data breaches, the impacted company’s General Counsel, in testimony before Congress, offered one over-arching piece of advice: Have a data response team and a response plan in place.
So, here’s a simple explanation of the basic elements of a good Data Breach Incident Response Plan.
First, build an Incident Response Team. Identify the constituencies within your organization that need to be involved with any potential response to a breach crisis. This will usually include representatives from legal, IT, HR, public relations and executive management. The best practice is to appoint Team members from each of these groups, as well as backup Team members in case the appointed member for some reason can’t serve when a crisis occurs (i.e. family or medical leave, etc.). It’s also important that the people be appointed by authorized decision makers. The last thing you want in a crisis is a culture of decision-making-by-committee to take over. The people named to your Incident Response Team should be prepared for a crisis and ready to take decisive action. For that reason, it’s very important to pre-identify, as members of your Team, individuals from a qualified and experienced outside law firm, a computer forensics firm, and your insurance carrier. Before a breach crisis occurs, your Incident Response Team should caucus periodically, discuss and refine your Incident Response Plan, and “war game” possible responses to a breach. Table-top exercises are a great idea.
In that regard, your Incident Response Team, and especially outside counsel and your forensics firm, should become intimately familiar with relevant policies, organizational structure, operations and infrastructure considerations before a breach occurs. Many times, in a breach situation, hours and minutes matter, and there is no time to waste. If brand new people are forced to get up to speed in the heat of a crisis, when key employees are scrambling and even fearful, critical information-sharing can be impeded, and important aspects of your response can be unnecessarily delayed.
In the same spirit, your organization, including your Incident Response Team, should periodically review your organization’s exposures regarding collection practices, use, storage, scope of disclosure and risk of harm regarding personally identifiable information (broadly defined) or Protected Health Information. That includes reviewing contracts with outside vendors who may have responsibility for storing or managing your information in the cloud. What level of detail your organizational review includes will vary from one organization to the next, but proactively deciding to conduct such a periodic review, even with a small team, will raise important questions about your organization’s vulnerabilities and preparedness. It would also be a first step toward the kind of organizational assessment required by state laws discussed above and put you on the road toward building a comprehensive Information Security Program, even if your organization is not immediately committed to a full-fledged assessment and comprehensive program at this time.
The next consideration regarding an Incident Response Plan is a plan for controlling internal communications in the event of a breach crisis. Emails, especially, have a tendency to start flying once a crisis breaks. If litigation ensues, internal communications among a broad group of people – especially people who are uninformed or have no need to be discussing the issues – can come back to bite your organization. Your Incident Response Team should be prepared, in advance of a breach crisis, to communicate quickly and clearly to your organization that a specially prepared Team is “on it” and that internal communications regarding the events in question should be curtailed to the greatest degree possible. To that end, employee interviews conducted as part of your internal and forensic investigation as to the causes and extent of the breach should be conducted with counsel included, so that the protection of attorney-client privilege is preserved.
It’s also important to pre-plan regarding any outside third parties who must be contacted in the event of a breach. This is generally driven by the industry you’re in, the regulatory posture of your business, and relevant breach notification laws. For instance, if you’re a financial institution or a HIPAA-covered entity, the notification schemes governing those industries require regulators to be notified of a breach in certain circumstances. Likewise, certain state notification statutes require notification of the state Attorney General or other consumer protection officials if certain thresholds are met. Knowing who you must notify outside of your organization, and how to notify them, before a breach occurs is critical.
Finally, it’s important, before a breach occurs, to have one spokesperson identified who will speak for your organization. Preferably, this person should be a member of your Incident Response Team so that they are adequately informed from the start. Multiple voices speaking to multiple constituencies – your internal organization, regulators, media outlets or law enforcement – generally just create a lot of noise, rather than a concise, informed, consistent message that is necessary to bring efficiency to your response, and calm to all the various constituencies concerned.
Building an Incident Response Plan is just one aspect of information security. Ideally, it should be part of a broad Information Security Program that includes assessment of all of your organization’s information vulnerabilities and risks. But it’s perhaps the easiest step to accomplish, and when (not if) your organization experiences a data breach, you’ll be glad you set out to prepare yourself ahead of time.
John Hutchins,johnhutchins@leclairryan.com