[BreachExchange] Preparing for a Data Security Breach: Ten Important Steps to Take

[Audrey McNeil]

http://www.jdsupra.com/legalnews/preparing-for-a-data-security-breach-87548/

Is your company prepared to respond to a data security breach? For many
companies, even reading this question causes some anxiety. However, being
prepared for what seems like the inevitable—a security breach—can be the
difference between successfully navigating the event or not. While we still
hear some companies say, “That would never happen to our company!” a
significant breach can happen to any company.

In light of this and the close scrutiny that the high-profile breaches
reported over the past year have received, many companies have taken the
opportunity to consider their preparedness and ability to respond quickly
and decisively to such an incident. We have prepared for our readers who
are in-house attorneys or privacy officers the following checklist
highlighting some steps that companies may consider taking so that they can
be better prepared in the event that a significant breach incident occurs.

Make Friends With Your IT/IS Department.

It is important to be familiar with your company’s risk tolerance and
approach to information security in order to develop an understanding of
your company’s security posture. The time to explore these issues isn’t
after a breach has happened, so ask your colleagues in your company’s
information technology or information security departments the basic
questions (e.g., What’s DLP?) and the tough questions (e.g., Why haven’t we
addressed the data security concerns raised in last year’s audit?). You
would rather learn, for example, that your company does not encrypt its
laptops before one is stolen.

Have a Plan.

Many companies have an incident response plan. If your company does, dust
it off. Does it need to be updated based on the current breach environment?
Would it actually be helpful in responding to a high-profile nationwide
data security breach? Does it have a list of key contacts and contact
information? Also, make sure you have a copy printed out in case the breach
impacts your company’s electronic system. If you don’t have a plan, draft
one and implement it.

Practice.

Although practice may not make perfect when it comes to data breach
response, you do not want your response team working together for the first
time in the middle of an actual high-stress incident. Gather your response
team and relevant stakeholders and conduct a “fire drill” or “breach
tabletop” exercise (and consider bringing your outside counsel). This will
be invaluable training and an investment in your company’s preparedness.

Decisions, Decisions, Decisions.

Someone has to make the tough calls. A high-profile breach incident
presents a series of tough calls (e.g., when will you go public, how will
you respond to the media, will you offer credit monitoring and so forth).
We continue to hear of incidents where there are competing views within a
company about the “right” decision, and incidents where difficult decisions
have to be made based on limited facts. You should give thought to who
within your organization will be responsible for making the tough calls,
and making sure the key decision-makers understand the broader issues that
have to be considered.

Know the Law.

In the United States, notice of breach incidents is driven by federal and
state law. There are federal breach requirements (e.g., the
Gramm-Leach-Bliley Act), and there are state requirements in 51 states and
jurisdictions. Needless to say, notice in a nationwide incident can be
complicated. And the laws have been rapidly changing over the last several
years. Someone in your company should be committed to staying abreast of
the current landscape of breach-related requirements (e.g., requirements
for the content of consumer notices and requirements to notify state
regulators). In addition, breaches that affect individuals outside the
United States are even more complicated. Be aware that the number of
jurisdictions with breach-notification obligations is growing, and in many
instances a “breach” includes the unauthorized disclosure of any type of
personal information.

Go Outside.

Outside counsel who have a deep practice in this area will have worked on
countless incidents both large and small, and can advise on how other
companies respond to similar incidents and how regulators have reacted.
This is invaluable insight when the tough calls have to be made (see item 4
above).

Engage Vendors.

In a significant breach incident, a company’s resources can be stretched
thin. Many companies would not have the capability to produce and mail
500,000 breach letters in just a few days. Similarly, many companies are
not prepared to handle dramatically increased call center volumes after an
incident becomes public. There are a wide variety of vendors that can help
companies respond to a breach incident, including forensic investigators,
crisis communication experts and mail houses, to name a few. Consider your
company’s capabilities and engage vendors before an incident occurs.

In Case of Emergency, Call.

The list of individuals and entities that may need to be contacted in case
of a significant breach at your company may be longer than you think. For
example, you may need to contact members of your response team, members of
senior management, your merchant acquirer, payment card networks, a wide
variety of vendors, the press, your regulators, outside counsel and others.
While a comprehensive contact list may seem simple, it can reduce stress in
the heat of the moment if you have one (see item 2 above).

Consider Coverage.

Cyberinsurance is one of the fastest growing areas of insurance today. It’s
quite possible that your company already has a policy that would provide at
least some coverage in the case of a data security breach. If so, the
policy should be reviewed to get a sense of the breadth of the coverage and
to determine whether such coverage is appropriate for your company’s needs.
If your company does not have a policy, you can consider the costs and
benefits of obtaining coverage. This is a risk-based decision, but one that
of course needs to be thought about before a breach occurs.

Don’t Delay.

Although you can’t control whether a breach occurs, you can control how
your company responds. Many companies will find that there is more that
they can do to prepare for a potential breach event. In light of the
public, regulatory and internal scrutiny that a high-profile breach brings,
you should not delay in considering your company’s preparedness to respond
to such an event.

Concluding Thoughts

Unfortunately, data security breaches have become as inevitable as death
and taxes; accordingly, no company can afford to be unprepared for a breach
incident when it occurs. Although our pre-breach checklist above isn’t
intended to be exhaustive, it should provide a helpful starting point for
companies in thinking about the unthinkable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161117/70c9af57/attachment.html>