June 28, 2022

Volume XII, Number 179

Advertisement
Advertisement

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Litigation Minute: Creating an Incident Response Plan Data Breach Series: Part One of Three

WHAT YOU NEED TO KNOW IN A MINUTE OR LESS

Reported incidents of data breaches have reached record levels over the last two years.1 Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well-thought-out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but can also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.

In a minute or less, here are the essential components of a working incident response plan.

Key Roles and Responsibilities

An incident response plan must identify those individuals responsible for invoking the plan and leading the response to any data security incident. It should identify one person who is ultimately accountable for the response, including clearly defined roles and responsibilities for all other response team members, including a member of top management.

Timing is critical in the wake of a data security incident. The use of tabletop exercises can detail team members' respective roles, provide the necessary skills to navigate an incident, and facilitate teamwork with other appropriate personnel to manage the incident.

This section of the plan should be supplemented with key external resources, such as a detailed contact list for legal counsel, forensic investigators, and local law enforcement, such as FBI cybersecurity agents. Considering the often-constricted timeframes for breach notification requirements, best practices dictate having these external resources identified and familiar with company systems, saving valuable time during a crisis.

Assessment, Containment, and Eradication of the Data Security Incident

The plan should also contain clear definitions on how to identify whether the company’s systems have been breached or compromised. Here, it is important to document the extent of the breach, its effects, and the potential source of the compromise.

Once the breach is clearly identified, the plan should outline the steps that should be taken to contain the incident (e.g., systems to be taken offline, information to be deleted safely, short-term and long-term strategy to prevent further unauthorized access or other nefarious conduct).

Internal Information Technology teams, as identified in the roles and responsibilities section of the plan, are often well positioned to assess the nature and potential scope of the incident, as well as how to mitigate damage. This includes assessing which systems and data might be involved and the availability of backup systems (intervention should be minimal, so as not to interfere with an impending independent investigation). After containment, the plan should address doing whatever is required to eradicate the cause, ensuring all malicious content is wiped clean from company systems without compromising data. Then, and only then, can the plan address getting affected systems back online.

Communications Plan

Finally, the plan should anticipate the need to communicate about the incident, both internally and externally. Communications to the C-suite and board are almost always required, and depending upon the incident, select or all employees may need to be informed. For example, a ransomware event impacting all email systems likely requires a communication to all employees.

Legal counsel can help determine the scope and content of any external communications to insurers, third-party vendors or business partners, and, depending on the incident, impacted data subjects and regulatory agencies as warranted or required by law. This section of the plan should therefore state when notifications may be appropriate, including the process for notifying key stakeholders and impacted parties in a timely fashion. Lastly, the response team should discuss a “retrospective” of the documented incident to evaluate its cause and future preventative action. The incident response plan should be adjusted based on the lessons learned.

FOOTNOTES

Experian Data Breach Resolution. (2021). Eighth Annual Study: Is Your Company Ready for a Big Data Breach? Ponemon Institute.

Copyright 2022 K & L GatesNational Law Review, Volume XII, Number 129
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Desiree F. Moore, KL Gates, intellectual property liability lawyer, entertainment litigation attorney
Partner

Desiree F. Moore concentrates her practice in a wide variety of complex commercial disputes, including intellectual property, entertainment, product liability, labor and employment, art law, and class action defense. Ms. Moore also has significant experience with law and technology, including emerging issues surrounding social media and the law. She has counseled individuals and corporations on best ways to maximize social media for business, implement regulations for social media in the workplace, and curtail harmful social media practices. Ms. Moore also has...

974-4424-6133
Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney
Partner

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

33-0-1-58-44-15-16
Tyler G. Anders Associate Orange County K&L Gates
Associate

Tyler Anders is an associate at the firm's Orange County office. He is a member of the litigation and dispute resolution practice area.

Previously, Tyler served as a summer associate for the firm in 2018. He was also a judicial extern to the Honorable André Birotte Jr. of the United States District Court for the Central District of California. Tyler is a 2011 Teach for America Washington, D.C. Corps alumnus.

949-623-3518
Advertisement
Advertisement
Advertisement