Articles

Why Your Organization Needs a Data Incident Response Plan: The Growing Need for a Planned Response.

Data security breaches affect organizations of all sizes.  Whether it is Zappos.com with its 24 million customer accounts[1] or your local Subway franchise,[2] no business is immune from the threat of a data security breach.  Breaches occur in all manners — from sophisticated hacking intrusions to simple thefts of laptops and cell phones.[3] Therefore, all organizations should plan for the possibility of a data security incident.

Organizations must be able to respond in a timely manner in order to contain costs, mitigate public relations harm, and comply with applicable state and federal laws.  The financial, business and legal considerations are often complex and should not be put off until an event occurs.  Planning ahead is necessary in order to comprehensively address all the issues your organization will face should a data security breach occur.  A data incident response plan can provide your company with a playbook to successfully navigate a potential incident.

In creating a data incident response plan, your organization should:

1.  Create an incident response team.

Your organization should create a team of individuals that will convene in the event of a significant data security breach.  The team should include at least one member of your organization with broad decision making authority so that decisive action can be accomplished in a timely manner.  Further members should include persons trained or experienced in media relations, persons with access and authority to key systems for analysis and back-up, persons with an understanding of the legal requirements relating to a breach, and persons designated as “first responders” who are available 24/7 in the event of a data security breach.

In addition, your organization should decide whether the response team will include third-party service providers such as outside legal counsel, who can assist you with legal and regulatory compliance, and data forensic experts, who can assist you with investigation and mitigation of the breach.

2.  Create an incident response plan.

Your organization should be prepared, in advance of a data security breach, to respond in an efficient and effective manner.  In order to ensure an organized response, a response plan should address:

  • How data security breaches are reported internally;
  • How data security breaches are investigated internally;
  • When law enforcement, if applicable, must be notified; and
  • When and how the breach will be communicated to customers and/or the public.

A comprehensive response plan should also ensure that, in the event of a breach, an assessment is made regarding:

  • The scope of the breach;
  • The types of data lost or exposed;
  • The sensitivity of the data lost or exposed;
  • Number of individuals affected;
  • Places of residence (e.g. state or country) for individuals affected;
  • Likelihood that data may be used to cause harm; and
  • Ability of the organization to mitigate harm.

Finally, a response plan should determine which members of your organization have final authority regarding important decisions.  Roles within the incident response team should be clearly defined so decisions can be made quickly and efficiently.

3.  Determine notification requirements.

All but four states[4] have laws related to data security breach notification.  Unfortunately, these laws are not uniform and each imposes its own notification requirements.  Different states may impose different definitions of protected data, covered entities, notification deadlines, safe harbors, and penalties.

If your organization has customer data, chances are your organization also has data relating to individuals residing in states outside of your own.  Therefore, your organization is likely governed by notification laws of several states.  Federal law may impose additional notification requirements depending on your organization’s industry.[5] Finally, if your organization holds information of customers living outside the United States, notification of those persons may be required under their countries’ own laws.

In short, notification requirements may be exceedingly complex for a given breach incident.  Regulations and laws are overlapping and often times conflicting.  Therefore, it is prudent to establish and understand these requirements prior to an event.  Your organization does not want find itself grappling with these complex issues for the first time in response to an actual data security breach.

4.  Draft appropriate responses and determine how they will be communicated.

Customers and clients may lose confidence in an organization when there is a data security breach.  Prompt notification regarding any problems, however, may mitigate damage in this area.  In the event of an incident, your communications to customers should include:

  • A brief description of what happened;
  • A description of the types of personal information that were involved in the breach (e.g., full name, social security number, home address, account numbers, zip codes, email address, passwords, etc.);
  • A brief description of what your organization is doing to investigate the breach and mitigate potential harm;
  • Contact information (e.g. toll-free phone numbers, email addresses, website address, and postal address) for affected/concerned customers who have questions regarding the breach;
  • Steps individuals should take to protect themselves from identity fraud; and
  • (If applicable) A description of the services your organization is offering in order to assist affected customers.

The manner of your communications may, in part, be governed by applicable notification laws.  For instance, notification has to be made by certain methods (e.g., written, electronic, telephonic, etc.).  Yet, regardless of the method or form of your notice, your organization should draft sample communications, prepared in advance, to be utilized in responding to an actual breach.

In addition, your organization should designate a spokesperson to handle any inquiries from the media.  Others in the organization should be instructed to refer media inquiries to the designated spokesperson.

5.  Determine if remedial measures are necessary.

A data incident plan should evaluate whether remedial measures should be offered to affected individuals.  If there is substantial risk of identity theft or other harm to customers and/or clients, your organization may wish to offer to pay for services such as identity theft protection and credit monitoring for a designated period of time (commonly 1 year) on behalf of those individuals.  Moreover, even if the risk of harm is minimal, your organization may still wish to provide these services in an effort to offset any inconvenience and anxiety experienced by customers.  These measures may assist in preserving customer loyalty and reducing potential liability related to the breach.

By establishing a planned response in advance of a potential data security breach, your organization will be prepared to handle the myriad of complex business and legal issues that accompany each event.  More importantly, your organization will be able to mitigate potential harm and losses effectively.  Given the rise of data security breaches in today’s environment, the importance of this planning should not be overlooked.

If you would like to talk with someone in more detail about what steps your organization should consider taking in the event of a security breach, please feel free to contact David McConnell or Joe Talbot directly 1-866-774-2635 or dmcconnell@hold.perkinsthompson.com or jtalbot@hold.perkinsthompson.com.


[1] See http://blogs.zappos.com/securityemail (alerting consumers of a data security breach).

[2] See Sean Gallagher, How hackers gave Subway a $3 million lesson in point-of-sale security, http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars (last visited Jan. 30, 2012).

[3] Online Trust Alliance, 2012 Data Protection & Breach Readiness Guide 5 (2012).

[4] As of December 1, 2011.

[5] See e.g. HITECH notification requirements, 45 C.F.R. § 164.404 (2011); FTC notification rule, 16 C.F.R. § 318 (2011).