Responding to a data breach is one of the more challenging events any company can face. On the one hand, a data breach requires nearly instantaneous decision making. Which servers are affected and should be removed from the network (but not shut off)? Who should be notified? Should law enforcement, a regulator or the insurer be contacted first? When should the breach be made public, if at all? What experts should be engaged, how much do their services cost and can that budget be approved on a Sunday night? And what is the home phone number for the Director of IT?
Even for the most agile of companies, informed and responsible decision making requires the input of an array of constituencies, some of whom rarely, if ever, have been in the same room together. The classic example is the C-Suite and IT personnel. The executives may have a difficult time understanding the scope of the breach, and the language IT speaks is decidedly not the language of the boardroom. The legal requirements can be contradictory—for example, a regulator (or the FBI) may ask that you notify no one, but your insurer may require notice within 10 days to trigger coverage. The scope of the breach may be unknown, resulting in over-protection or even paralysis based on the lack of information. These complications multiply with the size and public profile of the organization.
Preparation is Key
Of course, not every eventuality can be considered, and there is no need to try, but there are certain preparations that are almost invariably required. Think about how a football coach would prepare: he would position his players, prepare them with a game plan and maybe even script/predetermine the first few plays before the team ever sets foot on the field.
Assemble Your Team
A data breach response plan, at a minimum, must identify key individuals, playing different positions, who will run the breach response. They include:
- a member of the C-Suite (typically the CIO if you are lucky enough to have one)
- one or more IT professionals
- the person who identified the breach
- public relations
There may be more individuals or departments required, depending on the size of the organization and the nature of the breach. It is important, however, that the team is kept small enough to function, no matter the scope of the breach. Your response plan should include a method of reaching each of these individuals that does not include company email (home phone numbers, cell phone numbers and personal emails). Any email transmitted on a personal account should be brief and should be geared toward initiating a phone call—remember that personal email could be unsecure, and preservation of applicable privileges, including the attorney work product doctrine, is critical.
Simplify the Game Plan and Empower In Advance
The reality of a data breach response is that there are costs involved. Let’s consider a hypothetical example: The IT department recommends retention of a forensic analyst to determine what happened to the data and when. This analyst (which almost no company has in house) will cost $20,000 to get started. Time is of the essence, because it is unclear whether data has been or continues to be exfiltrated from company servers. Authority for this expenditure (and even the specific entity to be retained) should be delineated in advance. Since the IT Director is the person most likely to understand this need, it probably should be his or her call whether the forensic investigator should be deployed immediately or whether it can wait. Coordinating approvals through a variety of constituencies is difficult, can slow down response time and can implicate departments (such as accounting) that might not otherwise be involved in the immediate response.
Therefore, strong consideration should be given to a data breach plan that gives the most informed party, the IT Director, the discretion to act, and priorities should be identified and acknowledged at the outset. In most cases, restoration of service is critical, and a good response plan should focus on that critical item first, with forensics to follow. The bottom line is this: When in doubt, simplify. Don’t require three approvals for an expense when one will do. If the game plan is straightforward, it will be easier to execute when the pressure is on.
Designate a “Game Manager” Quarterback, and Consider Making it an Attorney
Football commentators tend to divide quarterbacks into two categories: the “gunslinger” and the “game manager.” The gunslinger takes risks and throws interceptions, but can do some amazing things when the game is on the line. The game manager avoids risk, and his team probably scores fewer points, but he plays to the context of the game and lets the other players shine. He “gets the ball to his play-makers.”
A breach response quarterback should be of the game manager variety. Ideally, he or she will facilitate communication between critical constituencies and know when to stand aside and let those with the most information and expertise shine. The breach quarterback should master the playbook in advance, knowing when to escalate decision making and when to empower individuals. And the breach manager, like an NFL quarterback, should “touch the ball on every play,” meaning that he should act as a focal point for communications concerning all disciplines within the victimized organization so that efforts are coordinated, not duplicated.
Choosing an attorney to fill the role of “game manager” is a smart strategy. First, to the greatest extent possible, the company should be afforded the option of protecting communications in relation to the response. Having an attorney quarterback the process increases — but does not guarantee — attorney work product protection for communications in relation to the breach. This is particularly important in analyzing the origin of the breach and remedial recommendations from IT personnel, who can get bogged down in technological terminology and nuances. If communications are sent to counsel, there may be a possibility of framing the issues at hand in better terms.
Second, communication with third-party regulators is necessary and can be arduous. It is highly advantageous to give regulators a consistent point of contact, and attorneys are typically best positioned to handle day-to-day communications with regulators. And third, the organization will need to understand and tailor its communication strategy to the regulatory environment in any event. Determining which regulators, insurers and customers must be contacted is as critical as the content of the communication, and again, counsel can and should be consulted on this issue.
How to Win The Game
It should be noted that these are simply suggested core elements. Depending on the size of the breach, the nature of the information involved and the consumer/patient base impacted, more features may be required. The key is to plan and practice before a breach occurs. While every eventuality cannot be anticipated, having a plan and practicing it will make on-the-fly adjustments easier and will position your organization for a successful resolution of a very difficult situation.