Having handled numerous headline-making data breaches, we are often asked what are some of the key considerations in incident response or items to include in a data breach response checklist. Below we list a few key considerations, but each incident should be evaluated on a case-by-case basis with experienced legal counsel with technology or cybersecurity backgrounds.
First, Engage Your In-House and Outside Counsel
Legal counsel plays an important role in any data incident, including maintaining the confidentiality of the investigation, protecting applicable internal communication under the attorney-client privilege and work product protections, and anticipating litigation and other legal risks. Counsel will assist in identifying your legal obligations following a data incident, including any customer notification requirements or reporting to the government and other authorities. Time is of the essence in any incident response so it’s important to act quickly and engage legal counsel as soon as becoming aware of an incident.
Notify Insurance Broker/Cyber Insurance Carrier
Legal counsel can assist in reviewing insurance policies, determining when notification is needed to preserve coverage rights, and making reports to carriers as appropriate. Insurance will have their own questions and requirements and it is important to provide accurate and timely information as necessary.
Execute Your Data Incident Response Plan
Every organization should have an incident response plan and test that plan regularly. Assemble your pre-identified incident response team immediately when there is a reasonable belief that a breach may have occurred. The incident response team is responsible for managing the organization’s response and mitigation efforts and executing the organization’s incident response plan. When investigating an incident, the incident response team should make sure legal counsel is part of any communications wherein legal advice is sought in order to help protect the attorney-client privilege and confidentiality.
Once sufficient information about the incident is recorded, deploy your communications team to control internal and external messaging in accordance with your incident response plan. Internal and external communications should be clear, concise, and consistent with other reporting – so be sure legal counsel has reviewed.
Investigate the Incident
At the direction of legal counsel, your designated incident response team member should identify and collect information about the incident, including interviewing involved personnel and documenting the forensic position of the organization (i.e., was any data viewed, modified, or exfiltrated; what personally identifiable information was compromised; what measures are necessary to restore the system, etc.).
Mitigate risks by determining whether you have any security risks or gaps, or whether other systems are under threat of immediate danger. Companies should take steps to address and remediate the source of the breach and evaluate additional protection measures needed to contain the breach and prevent future damage.
Satisfy Any Legal Obligations To Provide Notice To Consumers or Report To Agencies
As of 2018, all 50 states have data breach notification laws with various legal requirements. Certain states require notification of law enforcement when there is a security breach. Determine the location of any impacted customers, employees, and/or systems affected by the incident to determine the impact and involvement of various jurisdictional laws.
Learn From the Incident
Data incidents expose the vulnerabilities in an organization’s computer systems. Those vulnerabilities should be addressed to prevent the systems from being exploited in a similar manner in the future. Address any identified weaknesses and determine whether any changes need to be made in your incident response plan or other policies and practices.
If you have questions about creating a legally defensive Incident Response Plan contact the cybersecurity and incident response attorneys at Octillo. Our team of experienced attorneys, who are also devoted technologists, are equipped with the skills and experience necessary to help businesses evaluate the legal risks posed by modern technologies. Octillo will continue to monitor new developments and provide updates, trainings, and practical solutions for organizations navigating data protection challenges.
*Attorney Advertising. Prior results do not guarantee future outcomes.
