Planning for Data Breaches
October 23, 2018
Data breaches are a serious risk, and organizations should allocate resources to prevent them. However, although extremely important, a company should consider more than prevention alone. Businesses allocate significant resources to prevent accidents, disasters, and other undesirable events, including data breaches. However, such events inevitably still happen. For this reason, organizations must not only take steps to prevent harms, but they must also know how to effectively react to them. In other words, they must develop response plans to handle data breach emergencies when they occur.
Understanding the critical steps necessary in responding to a data breach can mitigate damage and save time, money, and worry. Below are a few general but critical action items to consider when crafting a response plan for handling a data breach.
1. Assemble a Team.
Organizations first need to quickly assemble a group of knowledgeable personnel equipped to confront the breach. Depending on the size and type of the breach and the organization, team members should include individuals from all departments, especially IT, legal, communications, and human resources. An organization may also need to engage outside legal counsel and/or forensic experts.
The specific personnel needed will depend on the nature of the breach. However, a company should identify potential team members ahead of time, including outside experts, to expedite the organization’s response.
2. Stop the Bleeding.
A business affected by a breach must quickly mobilize to stop the malicious access of its information. This step is technical in nature and will require working closely with IT professionals to identify the source of the breach, fix vulnerabilities, and secure systems to prevent further data loss. This will involve interviewing those who discovered the breach, determining what information has been compromised, changing passwords, replacing infected equipment, etc.
3. Comply with Security Breach Notification Laws.
Although the United States currently has no central federal data breach law, all fifty states have passed legislation obligating organizations to take steps to inform those affected by a data breach1. In West Virginia, for example, businesses and government agencies are required to provide notice of security breaches to individuals whose personal information has been compromised2. This notice must include a description of the information, a telephone number or website address that the affected individual may contact for information about the breach, toll-free telephone numbers and web addresses of the major credit report agencies, and information on how to obtain fraud alerts and security freezes.3
The Federal Trade Commission offers guidance to businesses, including a model letter, on how to communicate with individuals whose information has been subjected to a breach.4
4. Contact Law Enforcement.
A business that has fallen victim to a data security breach should strongly consider contacting law enforcement. Depending on the breach, a local police department may not have the expertise to effectively investigate a compromise of data. In such cases, organizations can contact a local FBI office or the U.S Secret Service.
Regulators have emphasized the importance of reporting incidents to the proper authorities to aid in the investigation and prosecution of those behind data attacks. Businesses should not hesitate to report attacks, as regulators are constrained in terms of what information they can share.5
5. Communicate Effectively with Affected Parties.
Communication is crucial in the wake of a data breach. Businesses should be prepared to assemble a comprehensive communications plan that targets all stakeholders, including employees, customers, law enforcement, and investors. While communications need to be thorough and informative, they should not contain misleading statements or information that put affected individuals at further risk.6
Don’t be caught off guard. By planning through these basic response steps in advance, organizations can design plans tailored to the size and nature of their specific operations. Doing so will promote sound decisions in the event of a data breach crisis and will enable a business to handle a breach with greater speed and effectiveness.
Author: Nicklaus A. Presley, Associate, Commercial Law Practice Group
© October 2018 Jackson Kelly PLLC
1 The National Conference of State Legislatures has compiled a list of links to the legislation for all fifty states, which can be accessed at http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
2 W.V. Code § 46A-2A-102.
3 W.V. Code § 46A-2A-103.
4 Data Breach Response – A Guide for Business, Federal Trade Commission, https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf (last visited October 10, 2018).
5 See Stephen Rynkiewicz, Regulators enlist corporate lawyers in joint response to cyberattacks, ABA Journal (June 26, 2017), http://www.abajournal.com/news/article/cybersecurity_law_breach_response (last visited October 10, 2018).
6 Data Breach Response – A Guide for Business, https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf (last visited October 10, 2018).