With only a few months left before the landmark California Consumer Protection Act (CCPA) takes effect, yesterday the California Attorney General announced Proposed Regulations implementing the CCPA. By way of background, the CCPA comes into effect January 1, 2020 and will put some of the strictest guidelines the US has seen regarding the collection and processing of personal information of California residents. While the law addresses the processing of personal information of California residents, the CCPA is likely to have far reaching impacts on businesses across the nation, including New York-based businesses. The text of the CCPA can be found here.
As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.
What is an Incident Response Plan?
An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:
1) Policy scope and definitions.
2) Identify Incident Response Team Members and outline roles for each.
3) Outline procedures for identifying, reporting and responding to an incident.
4) Set forth the legal obligations for reporting and notice to potentially impacted persons.
5) Identify how often the Incident Response Plan will be reviewed and updated.
6) Post-incident analysis procedures.
Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.
It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Beckage attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.
DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.