Incident Response Steps: What Happens When There Is a Breach?
Opening an Internal Investigation
Imagine for a moment that you believe your company may have experienced a data breach.
In other words, your security company has detected or has been notified of some event. What do you do now?
First, take a deep breath. It is important to think clearly and not react instantly based on gut feelings and instincts.
Next, if you’ve done advance planning, you will have a breach response plan ready to go. It is a matter of executing the plan that you have already created. Initial steps include notification to your breach response team.
Depending on the nature of the breach, team members include senior executives from the legal, IT, security, HR, marketing, and finance departments. Initial meetings can focus on the nature of the events, the initial take on what happened, understanding the severity of the incident, and identifying affected external parties or participants in the event.
Opening an Internal Investigation
Following initial meetings, the initial days of a breach response include an internal investigation to determine the facts and circumstances surrounding the apparent breach. What really happened? Information begins streaming in, and it may or may not show that a breach occurred.
If it is clear that a breach occurred, it might not be clear how it happened, who was responsible, and whether it is still ongoing. The internal investigation phase is to find answers to all of these questions.
At the same time, the internal investigation is starting, internal IT, security, and perhaps external forensic experts should be analyzing systems to determine the best course of action to:
- prevent further exploitation of the breach
- minimize the damage from the breach
- determine the source and scope of the attack
- leave open the possibility of a law enforcement investigation
- detect and find evidence of the attacker
- preserve evidence needed for later legal proceedings, including both defensive and offensive actions
It may not be possible to meet all of these goals. Accordingly, the company may need to decide on the priority of these goals.
Should You Notify Law Enforcement?
During this initial phase, the company should also consider notifying law enforcement. Collaborating with law enforcement has plusses and minuses beyond the scope of this paper.
One important plus for involving law enforcement, however, is the fact that under many states’ breach notification laws, a company may delay in making required breach notifications if law enforcement believes that such delay is important for its investigation of the breach.
Accordingly, working with law enforcement may buy the company some time when it comes to making decisions about the need for, or the timing of, breach notifications.
While the internal investigation is getting underway, the legal team can determine the legal posture of the company in light of the breach. The legal team should consider implementing a litigation hold and its scope, as well as taking steps to preserve evidence relevant to possible litigation. It should also start analyzing possible claims that parties could assert against the company, or possible claims that the company has against others, arising from the apparent breach.
Hiring Outside Counsel
Keep in mind that if investigations may show that the company had vulnerabilities, the company may want to have outside counsel hire the computer forensic experts investigating the breach. Hiring experts in this way makes them an extension of outside counsel.
Communications between the company and such experts can be protected by the attorney-client privilege. Thus, when the company is discussing vulnerabilities and weaknesses in systems or other information that may tend to indicate liability, it can protect such discussions with the privilege.
Issuing a Breach Notification
Upon the completion of an initial internal investigation, the company should develop enough information to determine if a breach notification is necessary and if it is, whom the company should notify. Different jurisdictions have different triggers for notifications, and it is important to analyze their different laws to determine whether notification is needed.
If notifications are required, then the company should determine the timing, and begin drafting the notices for review and approval by the team. Once approved, the company should send notices out as quickly as possible.
In preparing the notices, the company should account for requirements about the content of the notices. It should also take into account those jurisdictions requiring notification to the attorney general or other entities, in addition to the affected individuals. Finally, it should be aware of possible alternative means of notice under certain state laws, in case these means are the only way to inform some of the affected individuals.
Preventing Future Breaches
Once an investigation is completed and law enforcement has wrapped up its investigation, the company can change systems, close vulnerabilities, and remediate problems uncovered by the investigation. The idea here is to prevent the attackers from making additional attacks or exploiting the current breach. In addition, these steps will hopefully prevent future breaches by others.
Following the remediation phase, the company can then “close the loop” and undertake steps to evaluate what happened and make changes to prevent future breaches. For instance, post-breach analysis is a good time to reconsider the controls in the company’s security program to make changes and upgrades to minimize the risk of future breaches. The company may wish to make changes in its security policies, its procedures, technical standards, training programs, supporting guidelines, or technology.
In addition, the company may want to undertake a new risk assessment to provide an updated view of the company’s security posture. A risk assessment is a fundamental tool to determine what risks exist, which risks to mitigate, which risks it makes sense to shift (e.g., through insurance or indemnities), and which risks to accept.
Upon completion of these steps, the company should implement changes to procedures, standards, training, guidelines, and technology based on the information developed in this phase. At the end of this process, the company will hopefully be in a better position to deter, detect, and prevent security breaches.
Stephen Wu is an attorney and shareholder with Silicon Valley Law Group in San Jose, California. Steve advises clients concerning privacy, security, transactions, compliance, liability, and governance of emerging and mature information technologies, such as artificial intelligence, autonomous and connected vehicles, robotics, Big Data, the Internet of Things, and cloud computing. He negotiates technology agreements, resolves disputes for clients, and serves as an outside general counsel for emerging companies. Steve also advises clients on governing and assessing corporate programs to promote compliance and ethics. An author of seven data security legal books and numerous other publications, Steve is the current Chair of the American Bar Association Artificial Intelligence and Robotics National Institute. Also, Steve served as the 2010-11 Chair of the American Bar Association Science & Technology Law Section.