During McGuireWoods’ Nov. 3 Data Privacy and Security Seminar in Chicago, McGuireWoods lawyers Anne Peterson and Alex Brackett conducted a data breach tabletop exercise simulating a variety of breach scenarios. For those who missed the event, here are 10 key points to consider when preparing for and handling data breach incidents:
1. Be prepared. Although it is impossible to predict when or how a breach event might occur, it is possible to prepare in advance. The most important step is to have a designated, cross-functional breach-response team that has been trained, and that has established protocols for engaging at the earliest sign that a breach may have occurred. It is also critical to have an information governance program in place so the organization understands exactly what data may have been impacted, how sensitive that data is and what protections may be in place to safeguard the data.
2. Preserve and protect. Whenever it appears that a breach may have occurred, it is vital that your organization take immediate steps to isolate potentially affected systems, preserve evidence related to the breach, and protect against further damage/compromise to your networks, systems or data.
3. Gather the facts and understand your legal obligations. As with any investigation, the adequacy and appropriateness of your breach response will depend on the underlying facts. One of your response team’s first priorities must be gathering all relevant facts and other evidence relating to the breach. At the same time, the organization must quickly determine what reporting, containment and other legal obligations apply to the factual context.
4. Follow the facts. Similarly, you need to be mindful that the facts will likely evolve as the breach and breach response unfold. You must be careful not to rely on assumption or assume that initial impressions of how the breach occurred and has transpired are correct.
5. Communication is critical. Depending on the type of breach that has occurred or is occurring, customers or other outside parties may or may not already be aware. The same is true of your employees. You need to be thinking from the very beginning about how, what and when to communicate about the breach to both your internal and external audiences, including customers, employees, regulators, law enforcement, insurers, legal counsel and the media. Effective crisis communications, including protocols for fielding and escalating incoming inquiries from outside parties, can mean the difference between a manageable public relations issue and a public relations catastrophe.
6. Consider outside resources in advance. While you may determine that a data breach can be managed without outside counsel or forensic advisors, your breach response plan should have a team of outside advisors identified in advance. You should also have the terms of their engagement negotiated in advance so they can mobilize quickly. Note also that by retaining outside counsel and running the breach investigation through them, you will be better positioned to preserve privilege protections.
7. Expect the unexpected. Every data breach is its own specific organism that will unfold and evolve in often surprising ways. Whether it is uncooperative third parties, questionable behavior by your own personnel or further proliferation of a breach you thought was contained, be prepared to encounter pitfalls and roadblocks.
8. Don’t be afraid to report. Whether to report a breach to law enforcement is a decision that should be made on a case-by-case basis. It should be made thoughtfully, but always keeping in mind that your interests and the interests of law enforcement will typically be aligned. Further, they will often have perspectives, insights and possibly even specific information that can be of significant benefit to your breach response.
9. Debrief and dissect. Once the dust has settled, you should regroup with key parties and perform a postmortem on the breach event. You should review what it was, how it occurred, how it was identified and how the response played out, in order to identify lessons learned and strategies to improve your data security and your breach-response planning.
10.Never stop improving. Data privacy and security are dynamic. The external threats to organizations of every size and sophistication are pervasive, prolific and relentless. Accordingly, you cannot allow your efforts to respond to become complacent and static.