Data Breach Response Action Plan: Seven Steps to an Effective Response

By Billy Poynter, Kaleo Legal

The following seven steps can help you prepare for, plan and implement your response in the event of a data security breach. All steps should be conducted at the direction of counsel, so as to preserve all potentially attorney-client privileged information.

1. Institute periodic security system and policy reviews.

It is crucial that each company periodically verify its security systems and backup/archive mechanisms. Knowing what you have, and whether it is working, is the first step in responding to a breach crisis. It is equally important to periodically review privacy and other related policies to ensure company-wide compliance, and to ensure careful response strategies dictated by the policies in the event of a breach.

2. Prepare a Response Plan.

Before any breach is ever discovered, each company should prepare a written incident response plan, with input from all stakeholders. The plan should be ready and tested in advance of a breach, and should include at least a policy review, an incident response team, investigation procedures, and a communications plan.

3. Form an Incident Response Team.

The team should consist of a cross-section of members of the following company departments: legal, privacy/compliance, IT, information security, and other relevant stakeholders from the company’s various business units. External members should include outside counsel, computer forensic specialists, and a crisis management firm, in addition to law enforcement officials and regulators as necessary. All internal members of the team should be notified immediately when a breach occurs, and should coordinate all subsequent actions taken by the company in response to the breach. Insurance carriers should be contacted immediately for potential coverage.

4. Have ready a response package.

This kit should include at a minimum a model notice letter, a frequently asked questions sheet, and a press release.

5. Investigate.

You will need to analyze each company system, determine the nature and scope of the data breach, identify the access point, and document the sequence of intrusion and the remedial steps taken, all under the direction of legal counsel. It may likely be necessary to engage a forensic consultant to preserve or analyze evidence of the breach. Determine with the incident response team whether and to what extent to shut down the system and preserve the system image and logs.

6. Provide notice if required.

Depending on the state, and the industry in which you operate, you may be required to provide notice to consumers that a breach occurred. Additional notices to regulatory agencies may be required, as well as notice to consumer reporting agencies. Legal counsel should aid in the determination of whether, when, and how to provide any such notifications.

7. Conduct a postmortem review, and prepare in advance for the next incident.

Be prepared to review and revise vendor contracts, policies, basic documentation, insurance policies, and your written incident response plan. Evaluate in detail the company’s overall response, soliciting feedback from those affected and carefully analyzing press coverage.

More questions? Contact Sera-Brynn’s team to talk more about your cybersecurity.