Data BreachBreach Response Checklist

Breach Response Checklist

Having handled numerous headline-making data breaches, we are often asked what are some of the key considerations in incident response.  Below are a few key considerations, but each incident should be evaluated on a case-by-case basis with experienced legal counsel with technology backgrounds.

First Engage Your In-House and Outside Counsel

Legal counsel plays an important role in any data incident, including maintaining the confidentiality of the investigation, protecting applicable internal communication under the attorney-client privilege and work product protections, and anticipating litigation and other legal risks. Counsel will assist in identifying your legal obligations following a data incident, including any customer notification requirements or reporting to government and other authorities. Time is of the essence in any incident response so it’s important to act quickly and engage legal counsel as soon as becoming aware of an incident.

Notify Insurance Broker/Cyber Insurance Carrier

Legal counsel can assist in reviewing insurance policies, determining when notification is needed to preserve coverage rights, and making reports to carriers as appropriate. Insurance will have their own questions and requirements and it is important to provide accurate and timely information as necessary.

Execute Your Data Incident Response Plan

Every organization should have an incident response plan, and test that plan regularly.  Assemble your pre-identified incident response team as soon as there is a reasonable belief that a breach may have occurred.  The incident response team is responsible for managing the organization’s response and mitigation efforts and executing the organization’s incident response plan.  When investigating an incident, the incident response team should make sure legal counsel is part of any communications wherein legal advice is sought in order to help protect the attorney-client privilege and confidentiality.

Once sufficient information about the incident is recorded, deploy your communications team to control internal and external messaging in accordance with your incident response plan. Internal and external communications should be clear, concise, and consistent with other reporting – so be sure legal counsel has reviewed.

Investigate the Incident

At the direction of legal counsel, your designated incident response team member should identify and collect information about the incident, including interviewing involved personnel and documenting the forensic position of the organization (i.e., was any data viewed, modified, or exfiltrated; what personal information was compromised; what measures are necessary to restore the system, etc.).

Mitigate risks by determining whether you have any security gaps or risks, or whether other systems are under threat of immediate danger.  Companies should take steps to address and remediate the source of the breach and evaluate additional protection measures needed to contain the breach and prevent future damage.

Satisfy Any Legal Obligations To Provide Notice To Consumers or Report To Agencies

As of 2018, all 50 states have data breach notification laws with various legal requirements.  Certain states require notification of law enforcement when there is a security breach.  Determine the location of any impacted customers, employees, and/or systems affected by the incident to determine the impact and involvement of various jurisdictional laws.

Learn From the Incident

Data incidents expose the vulnerabilities in an organization’s computer systems. Those vulnerabilities should be addressed to prevent the systems from being exploited in a similar manner in the future. Address any identified weaknesses and determine whether any changes need to be made in your incident response plan or other policies and practices.

About Beckage

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Cannabis PrivacyRecent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

Recent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

When it comes to cyber security threats, everyone is at risk – regardless of the size or industry of the business. We see this as the cannabis industry was hit hard last week when a software vulnerability, which revealed data from at least 30,000 people from multiple dispensaries across the U.S., was exposed.

Although it remains unclear by whom the data was accessed by, this incident highlights the particular risk that businesses in the cannabis industry face: legal requirements to collect detailed personal records from clients and a fluid regulatory landscape. This incident also highlights that a proactive cyber security plan can help shift legal risk, and likewise well-drafted liability protections if a data breach does happen.

What is Cyber Liability Insurance?

Similar to other types of liability insurance, cyber liability policies protect businesses in the case of a data breach, ransomware attack, or other cyber security failure. These types of policies cover expenses or losses incurred when a network or database has been hacked, ransomed, or otherwise compromised. Coverage typically includes:

• Notification costs – including investigating, responding to and resolving an actual or suspected data breach, and alerting potentially affected people. You might need mailings, call centers, or even additional staff.

• Credit monitoring costs – companies trying to mitigate a security breach often provide free credit reports or monitoring, as well as identity theft insurance costs to defend claims by state or federal regulators.

• Ransom payments – sadly, hackers can (and have) taken networks and databases hostage. Liability insurance would cover ransom payments, as well as costs for data recovery and restoration and loss from business interruption.

• Fines and penalties – with new data privacy laws emerging, the penalties for failing to protect consumer data could be substantial.

• Third party liability – if allegations of negligence or failure to take reasonable measures to prevent a security breach arise then, a third party business could be held responsible.

• Crisis management costs – to track and contain both the cyber threat and the fallout, you may need forensic investigators, professional crisis management, or strategic communications support.

Cyber liability insurance is an increasingly important risk management tool that organizations rely on as a part of a larger, comprehensive cyber security and privacy breach response plan. Take note that cyber liability insurance is different from technology errors and omissions (tech E&O) insurance, which is designed to protect companies that provide technology products and services, such as computer software manufacturers. Cyber liability insurance covers the fallout from a particular breach of customer or client data.

Why Cannabis Businesses Need It

Any business that collects personal data could face substantial liability in the event of a breach, however the cannabis industry faces even more risk, because of the unique amount and often type of information dispensaries and other businesses are required to collect. In addition, due to constantly shifting industry and regulatory landscape, many cannabis businesses may find themselves in uncharted territory and are likely to have questions about cyber liability risks. It is also important to note that while general liability insurance policies may cover some cybercrime losses, they generally will not provide the comprehensive coverage needed to mitigate the damage from a data breach. Some general liability policies may even contain exclusions for cyber liability losses and claims.

One thing is for certain: data is becoming increasingly valuable. Our Beckage CannaPrivacy Team understands the importance steps businesses should implement to protect this valuable data. If the worst happens, it is critical to have the right liability coverage to minimize losses and disruption. Our team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for any business in the cannabis industry.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

circuit boardThe Importance of an Incident Response Plan

The Importance of an Incident Response Plan

As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.

What is an Incident Response Plan?

An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:  

   1) Policy scope and definitions.

   2) Identify Incident Response Team Members and outline roles for each.

   3) Outline procedures for identifying, reporting and responding to an incident.

   4) Set forth the legal obligations for reporting and notice to potentially impacted persons.

   5) Identify how often the Incident Response Plan will be reviewed and updated.

   6) Post-incident analysis procedures.

Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.

It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Beckage attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.