Is your company prepared to respond to a data security breach? For many companies, even reading this question causes some anxiety. However, being prepared for what seems like the inevitable—a security breach—can be the difference between successfully navigating the event or not. While we still hear some companies say, “That would never happen to our company!” a significant breach can happen to any company.
In light of this and the close scrutiny that the high-profile breaches reported over the past year have received, many companies have taken the opportunity to consider their preparedness and ability to respond quickly and decisively to such an incident. We have prepared for our readers who are in-house attorneys or privacy officers the following checklist highlighting some steps that companies may consider taking so that they can be better prepared in the event that a significant breach incident occurs.
- Make Friends With Your IT/IS Department.
It is important to be familiar with your company’s risk tolerance and approach to information security in order to develop an understanding of your company’s security posture. The time to explore these issues isn’t after a breach has happened, so ask your colleagues in your company’s information technology or information security departments the basic questions (e.g., What’s DLP?) and the tough questions (e.g., Why haven’t we addressed the data security concerns raised in last year’s audit?). You would rather learn, for example, that your company does not encrypt its laptops before one is stolen.
- Have a Plan.
Many companies have an incident response plan. If your company does, dust it off. Does it need to be updated based on the current breach environment? Would it actually be helpful in responding to a high-profile nationwide data security breach? Does it have a list of key contacts and contact information? Also, make sure you have a copy printed out in case the breach impacts your company’s electronic system. If you don’t have a plan, draft one and implement it.
Although practice may not make perfect when it comes to data breach response, you do not want your response team working together for the first time in the middle of an actual high-stress incident. Gather your response team and relevant stakeholders and conduct a “fire drill” or “breach tabletop” exercise (and consider bringing your outside counsel). This will be invaluable training and an investment in your company’s preparedness.
- Decisions, Decisions, Decisions.
Someone has to make the tough calls. A high-profile breach incident presents a series of tough calls (e.g., when will you go public, how will you respond to the media, will you offer credit monitoring and so forth). We continue to hear of incidents where there are competing views within a company about the “right” decision, and incidents where difficult decisions have to be made based on limited facts. You should give thought to who within your organization will be responsible for making the tough calls, and making sure the key decision-makers understand the broader issues that have to be considered.
- Know the Law.
In the United States, notice of breach incidents is driven by federal and state law. There are federal breach requirements (e.g., the Gramm-Leach-Bliley Act), and there are state requirements in 51 states and jurisdictions. Needless to say, notice in a nationwide incident can be complicated. And the laws have been rapidly changing over the last several years. Someone in your company should be committed to staying abreast of the current landscape of breach-related requirements (e.g., requirements for the content of consumer notices and requirements to notify state regulators). In addition, breaches that affect individuals outside the United States are even more complicated. Be aware that the number of jurisdictions with breach-notification obligations is growing, and in many instances a “breach” includes the unauthorized disclosure of any type of personal information.
- Go Outside.
Outside counsel who have a deep practice in this area will have worked on countless incidents both large and small, and can advise on how other companies respond to similar incidents and how regulators have reacted. This is invaluable insight when the tough calls have to be made (see item 4 above).
- Engage Vendors.
In a significant breach incident, a company’s resources can be stretched thin. Many companies would not have the capability to produce and mail 500,000 breach letters in just a few days. Similarly, many companies are not prepared to handle dramatically increased call center volumes after an incident becomes public. There are a wide variety of vendors that can help companies respond to a breach incident, including forensic investigators, crisis communication experts and mail houses, to name a few. Consider your company’s capabilities and engage vendors before an incident occurs.
- In Case of Emergency, Call.
The list of individuals and entities that may need to be contacted in case of a significant breach at your company may be longer than you think. For example, you may need to contact members of your response team, members of senior management, your merchant acquirer, payment card networks, a wide variety of vendors, the press, your regulators, outside counsel and others. While a comprehensive contact list may seem simple, it can reduce stress in the heat of the moment if you have one (see item 2 above).
- Consider Coverage.
Cyberinsurance is one of the fastest growing areas of insurance today. It’s quite possible that your company already has a policy that would provide at least some coverage in the case of a data security breach. If so, the policy should be reviewed to get a sense of the breadth of the coverage and to determine whether such coverage is appropriate for your company’s needs. If your company does not have a policy, you can consider the costs and benefits of obtaining coverage. This is a risk-based decision, but one that of course needs to be thought about before a breach occurs.
- Don’t Delay.
Although you can’t control whether a breach occurs, you can control how your company responds. Many companies will find that there is more that they can do to prepare for a potential breach event. In light of the public, regulatory and internal scrutiny that a high-profile breach brings, you should not delay in considering your company’s preparedness to respond to such an event.
Unfortunately, data security breaches have become as inevitable as death and taxes; accordingly, no company can afford to be unprepared for a breach incident when it occurs. Although our pre-breach checklist above isn’t intended to be exhaustive, it should provide a helpful starting point for companies in thinking about the unthinkable.