December 3, 2022

Volume XII, Number 337


December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

U.S. Complex Commercial Litigation and Disputes Alert


Reported incidents of data breaches reached record levels over the last two years..1 Given this undeniable reality, a data security incident response plan is no longer a luxury; it is a vital tool in every company’s larger crisis management plan. A well thought out and thorough response plan can not only significantly reduce the confusion that often follows a data security incident, but also reduce the pitfalls that often lead to regulatory scrutiny and putative class actions in the United States and the fairly recent “group actions” in the European Union.  

In a minute or less, here are the essential components of a working incident response plan. 

Key Roles and Responsibilities

An incident response plan must identify those individuals responsible for invoking the plan and leading the response to any data security incident.  It should identify the one person that is ultimately accountable for the response and include clearly defined roles and responsibilities for all other response team members, including a member of top management. Timing is critical in the wake of data security incident. The use of table top exercises can insure that all team members understand their respective roles, have the necessary skills to navigate an incident, and facilitate the team to work closely with other appropriate personnel to manage the incident.

This section of the plan should be supplemented with key external resources to leverage, such as a detailed contact list for legal counsel, forensic investigators, and local law enforcement, such as FBI cyber security agents. Considering the often constricted timeframes for any breach notification requirements, best practices dictate having these external resources identified and familiar with company systems to save valuable time in trying to secure for such services during a crisis.

Assessment, Containment, and Eradication of the Data Security Incident

The plan should also contain clear definitions on how to identify if the company’s systems have been breached or compromised, Here, it is important to document the extent of the breach, what it is affecting, and the potential source of the compromise. Once the breach is clearly identified, the plan should outline the steps that should be taken to contain the incident (i.e., which systems can be taken offline, can and should anything be deleted safely, short term and long term strategy to prevent further business disruption, unauthorized access, or other nefarious conduct). Internal information technology teams, as identified in the roles and responsibilities section of the plan, are often well-positioned to assess the nature and potential scope of the incident and how to mitigate damage, including assessing which systems and data might be involved and the availability of backup systems (intervention should be minimal so as not to interfere with an impending independent investigation). After containment, the plan should address doing whatever is required to eradicate the cause and ensure all malicious content is wiped clean from company systems without compromising data. Then, and only then, can the plan address getting affected systems back online.

Communications Plan

Finally, the plan should anticipate the need to communicate about the incident, both internally and externally. Communications to the C-suite and board are almost always required and, depending upon the incident, select or all employees may need to be informed (for example, a ransomware event impacting all email systems likely requires a communication to all employees). Legal counsel can help determine the scope and content of any external communications to insurers, third party vendors or business partners, and, depending on the incident, impacted data subjects and regulatory agencies as warranted or required by law. This section of the plan should therefore include when notifications may be appropriate and the process for notifying key stakeholders and impacted parties in a timely fashion. Finally, the response team should discuss a “retrospective” of the documented incident to evaluate why it happened and what can be done to ensure the incident does not happen again. The Incident Response Plan should be adjusted based on the lessons learned.



Copyright 2022 K & L GatesNational Law Review, Volume XII, Number 66

About this Author

Tyler G. Anders Associate Orange County K&L Gates

Tyler Anders is an associate at the firm's Orange County office. He is a member of the litigation and dispute resolution practice area.

Previously, Tyler served as a summer associate for the firm in 2018. He was also a judicial extern to the Honorable André Birotte Jr. of the United States District Court for the Central District of California. Tyler is a 2011 Teach for America Washington, D.C. Corps alumnus.