Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?
During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal risk and exposure. Teams will thus need to be prepared for coming together virtually. Turning on the camera to converse remotely with video can be an impactful and important way to effectively handle a breach situation. To prepare, here are three key questions companies can consider:
In the event of a data breach, is your incident team prepared to handle the situation remotely?
What steps will be taken to bring people together? Have those steps been practiced?
Does everyone on the team fully understand how to use virtual technologies, have cameras on their devices, and understand those cameras’ benefits?
In addition to thinking about data breach response, many companies will want to bear in mind the obligations to protect personal information. There are many jurisdictions with laws that govern how companies must protect information. These laws would apply to information the company already holds, and may also apply to new personal information that might be collected during a company’s COVID-19 response (see more about this in the first post in this series). For example, as we have written in the past, New York’s data protection law will go into effect on March 21, and other states already have data security laws in place with specific requirements, including notably Massachusetts and Nevada. And other states, like Ohio provide companies that suffer a breach certain safe harbors if they have security programs in place.
Putting it Into Practice: As companies reflect on (and use) their business continuity plans, thought should be made to breach response plans, and how teams will handle the -hopefully unlikely event- that they must address a breach with an entirely virtual team. At the same time, thought should be given to the legal data privacy protections that exist, and what steps companies are taking to meet those obligations.