When a company suffers a data breach—or fears that it has suffered a breach—teams often go into panic mode. When the dust settles, work divides into two camps: those focused on business continuity and containment, and those focused on determining if the organization has any breach notice obligations under relevant laws.
Often, these goals can be in conflict—or at least resources to achieve these goals can conflict. Different teams work on different sides of the issue. Internal resources are stretched. Outside resources overlap. What can a company do? First, recognize that both goals are important and deserve resources. Second, account for both goals throughout the breach “process.” The following are some concrete steps companies—and their breach crisis teams—can take:
- Before the incident: Everyone knows about creating an incident plan, and giving it a test run. But what about taking steps to understand your business realities and needs? Being prepared and ready to address a breach, if it arises, hinges on a good understanding of the types of information you have, where you have it, and with whom that information is shared. It is never too soon to start on this work, and keeping that information up-to-date can be a life saver if a breach arises.
- Digging in—investigating an incident : This is where the work of the two goals, containment and determining notification obligations, can come into the most conflict. Obviously you will need to contain and control the incident. You will want to take steps like investigating the nature of the incident and getting the right team–with the right background—on hand. But you will also want to know some very specific facts for the lawyers who are determining whether notification is necessary. This includes understanding if there was a compromise to the information and if the information itself triggered breach notice laws (social security numbers, medical information, usernames and passwords, etc.).
- Notification : If you determine that notification is necessary, containment should not leave the scene. Will your notice impact any ongoing investigations? Will you tip off a bad actor? These are things that should be taken into account as you draft your notifications, and as you potentially work with law enforcement pursuing said bad actors.
- Post -notification: Once your notice goes out, you are not finished. The containment team will want to look at what lessons can be learned for next time—if there is a next time. The legal side of the house will be thinking about potential post-notice inquiries, whether they come from regulators, the press, or impacted individuals.
Regardless of whether your incident involves an aggressive bad actor bent on destroying your company or gives rise to a duty to notify, your team should ensure that it is taking appropriate steps to both contain and assess legal risks. The tips above are aimed at helping you get there.
Liisa Thomas, Esq.
Partner at Winston& Strawn LLP
Liisa will speak more on data breaches at the ISACA’s CSX 2015 cyber security conference in Washington, DC, 19-21 October 2015.
Note: This post is the third in a series of Cybersecurity Awareness Month blog posts. To learn more on the cyber security resources ISACA is offering this month, click here.
[ISACA Now Blog]