The following is a guest post by Christopher Hart, an attorney at Foley Hoag and a member of Foley Hoag’s cybersecurity incident response team. This is not meant to constitute legal advice; instead, Chris offers helpful guidance for building an incident preparation and breach response framework in your own organization.
A data breach is a business crisis that requires both a quick and a careful response. From my perspective as a lawyer, I want to provide the best advice and assistance I possibly can to help minimize the costs (and stress) that arise from a security incident. When I get a call from someone saying that they think they’ve had a breach, the first thing I’m often asked is, “What do I do?” My response is often something like, “Investigate.” The point is that normally, before the legal questions can be answered and the legal response can be crafted, as full a scope of the incident as possible first needs to be understood.
I typically think of data breaches as having three parts: Planning, managing, and responding.
Planning is about policy-making and incident preparation. Sometimes, the calls that I get when there is a data breach involve conversations I’m having for the first time—that is, the client has not yet thought ahead of time about what would happen in a breach situation, and how she might need to respond. But sometimes, they come from clients with whom I have already worked to develop an incident response plan. In order to effectively plan for a breach, think about the following questions: What do you need to do to minimize the possibility of a breach? What would you need to do if and when a breach occurs? Developing a response plan allows you to identify members of a crisis management team—your forensic consultant, your legal counsel, your public relations expert—and create a system to take stock of your data management.
I can’t emphasize enough how important this stage is. Often, clients still think of data breaches as technical, IT issues. But the trend I am seeing now, and the advice I often give, is to think of data security as a risk management issue. That means not confining the question of data security to the tech staff, but having key players throughout the organization weigh in, from the boardroom on down. Thinking about data security as a form of managing risk is a powerful way of preparing for and mitigating against the worst case scenario.
Managing involves investigating the breach, patching it and restoring system security, notifying affected individuals, notifying law enforcement authorities as necessary and appropriate, and taking whatever other steps might be necessary to protect anyone affected. A good plan will lead to better management. When people call me (or anyone at my firm’s Cybersecurity Incident Response Team, a group of lawyers at Foley Hoag who specialize in data breach response) about data breaches, they are often calling me about how to manage this step. But this is only one part of a much broader and deeper picture of data breach response.
Responding can involve investigation and litigation. If you’ve acted reasonably and used best practices to minimize the possibility of a breach; and if you’ve quickly and reasonably complied with your legal obligations; and if you’ve done all you can to protect consumers, then not only have you minimized the damage from a breach—which is good for your company and for the individuals affected by a breach—but you’ve also minimized your risks in possible litigation. In any event, this category involves responding to inquiries and investigation demands from state and federal authorities, responding to complaints from individuals and third parties, and generally engaging in litigation until the disputes have been resolved. This can be a frustratingly time-consuming and expensive process.
This should give you a good overall picture of how I, or any lawyer, thinks about data security incidents. I hope it helps give you a framework for thinking about data security in your own organizations.
Need assistance? Check out Rapid7's incident response services if you need assistance developing or implementing an incident response plan at your organization.