Having handled numerous headline-making data breaches, we are often asked what are some of the key considerations in incident response. Below are a few key considerations, but each incident should be evaluated on a case-by-case basis with experienced legal counsel with technology backgrounds.
First Engage Your In-House and Outside Counsel
Legal counsel plays an important role in any data incident, including maintaining the confidentiality of the investigation, protecting applicable internal communication under the attorney-client privilege and work product protections, and anticipating litigation and other legal risks. Counsel will assist in identifying your legal obligations following a data incident, including any customer notification requirements or reporting to government and other authorities. Time is of the essence in any incident response so it’s important to act quickly and engage legal counsel as soon as becoming aware of an incident.
Notify Insurance Broker/Cyber Insurance Carrier
Legal counsel can assist in reviewing insurance policies, determining when notification is needed to preserve coverage rights, and making reports to carriers as appropriate. Insurance will have their own questions and requirements and it is important to provide accurate and timely information as necessary.
Execute Your Data Incident Response Plan
Every organization should have an incident response plan, and test that plan regularly. Assemble your pre-identified incident response team as soon as there is a reasonable belief that a breach may have occurred. The incident response team is responsible for managing the organization’s response and mitigation efforts and executing the organization’s incident response plan. When investigating an incident, the incident response team should make sure legal counsel is part of any communications wherein legal advice is sought in order to help protect the attorney-client privilege and confidentiality.
Once sufficient information about the incident is recorded, deploy your communications team to control internal and external messaging in accordance with your incident response plan. Internal and external communications should be clear, concise, and consistent with other reporting – so be sure legal counsel has reviewed.
Investigate the Incident
At the direction of legal counsel, your designated incident response team member should identify and collect information about the incident, including interviewing involved personnel and documenting the forensic position of the organization (i.e., was any data viewed, modified, or exfiltrated; what personal information was compromised; what measures are necessary to restore the system, etc.).
Mitigate risks by determining whether you have any security gaps or risks, or whether other systems are under threat of immediate danger. Companies should take steps to address and remediate the source of the breach and evaluate additional protection measures needed to contain the breach and prevent future damage.
Satisfy Any Legal Obligations To Provide Notice To Consumers or Report To Agencies
As of 2018, all 50 states have data breach notification laws with various legal requirements. Certain states require notification of law enforcement when there is a security breach. Determine the location of any impacted customers, employees, and/or systems affected by the incident to determine the impact and involvement of various jurisdictional laws.
Learn From the Incident
Data incidents expose the vulnerabilities in an organization’s computer systems. Those vulnerabilities should be addressed to prevent the systems from being exploited in a similar manner in the future. Address any identified weaknesses and determine whether any changes need to be made in your incident response plan or other policies and practices.
If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).
*Attorney Advertising. Prior results do not guarantee future outcomes.