The conventional wisdom is that a company will not have to worry about if it will suffer a data breach incident, but instead when. The smart senior executive is thus a prepared senior executive. But how best to get ready for a potential data breach incident?
Keeping in mind that the threat may come from an external malicious hacker, an internal actor, or a “white hat” activist, being prepared means thinking about several different potential incidents. But there are some common steps that all executives should be taking to ensure their company is prepared. Our suggestions stem both from our experience as a lawyer (Liisa) and a forensic investigator (Garry) involved in these kinds of incidents. In our experience, there are often two competing work streams that occur after an incident is discovered. One relates to containment and control of the underlying security issue. In other words, business continuity. The second involves determining whether or not the incident gives rise to a duty to notify. Often, these goals can be in conflict, or at least resources to achieve these goals can conflict. Different teams work on different sides of the issue. Internal resources are stretched. Outside resources overlap. What can a company do?
With proper advanced consideration, and recognition of the importance of both sides of the issue, companies can — and should — be prepared if (when!) an incident occurs. The following are steps companies can take — both for continuity and to determine notice obligations — before an incident, during an incident, and after an incident has occurred:
Before the incident:
You need more than a response plan; you need a plan for keeping your business going. During an incident, you will need to think not only about notifying potentially impacted individuals, but also how you will keep your company going. You will want to make sure essential business functions continue to operate during and after the incident. You will need a plan that takes into account your business realities, risks you might face, and has reasonable and implementable strategies and plans for those realities and risks. Your organization may need specific operational plans for specific groups within a company to allow them to recover a particular segment of the business. This type of planning enables companies to re-establish services to a fully functional level as quickly and smoothly as possible.
Notification Obligation Issues
Create an incident response plan, and give it a test run! Too many companies are adopting off-the-shelf forms that do not anticipate their own business realities. Or that fail to anticipate the laws to which they may be subject. Put together a plan that will actually work for your company. And give it a test run! When preparing the plan, make sure it anticipates other items we’ve outlined here.
Do you understand — really understand — your business realities and needs? Good business continuity planning requires a good understanding of your company. Being prepared and ready to address a breach if it arises also hinges on a good understanding of the types of information you have, where you have it, and with whom that information is shared. Often called a “business impact analysis,” identify your company’s key products and services and define the time-criticality of the activities that support them. Take steps during this process to understand what your data is, where it is, and where it goes. The results of this work should be fully integrated into both your response and your continuity plans.
Digging into the incident:
Contain and control. Once you have detected the presence of a problem, the lawyers will focus on whether or not you have a duty to notify. The rest of us, though, are thinking about containing and controlling the incident to stop it from spreading further. The type or nature of the incident will determine the appropriate response. Some incidents may require a highly technical team to preserve the scene, recover evidence in order of volatility, and review technical logs to determine the extent of the breach. Other incidents may require forensic accountants to review financial systems. It is critical that the forensic team uses forensically sound practices during the investigation.
Document your work, but be mindful of privilege. Poorly communicated incidents and the lack of supporting reports or evidence may not only result in an inability to learn from the incident, but also a failure to correctly determine the root cause of the incident. In careful cooperation with your lawyers, from the moment an alert is first received, incident logs should be maintained that record the details of the alert and what was done. This documentation, which should be maintained with an eye toward privilege, can be an important resource for the organization. The company should be dedicated to recording and documenting everything that is happening during the crisis, all while carefully considering maintaining attorney-client privilege of such written logs. Carefully curated portions of this information can be invaluable when reviewing the incident later and discovering opportunities for improvement of incident management, processes, and personnel.
Notification Obligation Issues
Figure out from where, physically, your data was taken and consider whether to involve third parties. Third parties, be they forensic investigators, lawyers, or law enforcement, can provide important support as you investigate a breach. Forensic investigators can help determine what has happened, and give your investigation gravitas that it might not otherwise have if conducted internally. Law enforcement may be able to assist in understanding facts that you could not otherwise uncover. And outside lawyers can bring experience and expertise on the laws and how they apply to your own obligations. But, as you think about which third parties to bring in, many will need to know where to physically be sent. Where, exactly, should that forensic person go to look at the data? Into which law enforcement jurisdiction does this incident fall? This may seem like a straightforward question for some incidents. But for others, like when data is in the cloud, determining where the servers are can require some legwork.
Determine where, geographically, the potentially impacted people are located. Even if your business is only located in one state, the state breach laws will apply based on where the impacted individuals reside. This means that if you have a breach involving customers in all 50 states, your business will likely be subject to breach notification laws in almost every state. Additional state and federal laws govern certain types of entities. There are also a growing number of foreign jurisdictions that require notification in the event of a data breach and provide guidelines for standardization of such things as contracts of cloud services providers.
Identify what information may have been subject to a data breach; i.e., would it trigger a breach notification? Not all personal information, if compromised, triggers laws that require notification. Traditionally, many state laws required notice only if “sensitive” information had been compromised (financial account information, social security numbers, etc.). However several states have broader categories of triggering information, which include “personal” information. And the trend has been for the laws to get broader, not narrower.
As you investigate, think carefully about whether the facts suggest a “breach” as defined under the various relevant laws. At the heart of determining whether notification is required under the relevant laws is to analyze the incident itself, and whether it is viewed as a “breach.” While the definition of “breach” varies, there are typically two factors to analyze: a) whether there was unauthorized access and/or acquisition of triggering information and b) if the integrity, confidentiality, or security of the triggering information was compromised. Many laws contemplate that companies will (or must) conduct investigations or work with law enforcement to determine what happened in the incident. Even if these factors have been met, there may be some exceptions, like if the information was in paper form.
What can you improve? Analyze how the incident was handled. How quickly did you respond? How well did your team function? What protection measures were you missing? Thinking about and addressing these issues while the incident is fresh is critical.
Notification Obligation Issues
Prepare the notice — but think beyond the notice. In some jurisdictions, if notice is required, not only must it be made without undue delay, but there is very specific content that needs to be included in the notice. And that notice may need to be made not only to impacted individuals, but state or federal regulators as well. Once notification to impacted individuals and regulators is made, the data breach has been made public. Before you send out the notice, make sure you are prepared for regulatory follow-up and press inquiries.
These tips have been put together based on our collective experience of handling hundreds of data incidents. Some have triggered breach notice laws. Many have not. Some have required in-depth forensic investigations and complicated containment strategies, others have required minimal time to discover the facts and fix the problem. Regardless of what type of incident you are faced with, the better prepared you are, the easier it will be to get the issue resolved quickly and with minimal PR fanfare, scrutiny from regulators, and litigation.
These materials are not intended to be, nor should they substitute for, legal advice, which turns on specific facts.
Liisa M. Thomas
Garry A. Pate