Legal Matters: Preparing for and Responding to a Data Breach
Core Elements of a Data Breach Response Plan
An effective and practical data breach response plan should include the following eight elements:
1. Formation of a data breach response team. The team would typically include a senior executive with broad decision-making authority; the chief information officer; the directors of customer service, government affairs, public relations, compliance and security; a senior human resources manager; and legal counsel. Once a breach occurs, the team should be augmented quickly by a digital forensics consultant.
2. Designation of a point person. A member of the response team should be designated as being responsible for coordination of efforts and maintaining the checklist (see No. 8).
3. Identification of potential risks. It's helpful to identify areas of possible vulnerability, including recommended measures to upgrade and monitor data security.
4. List of third-party vendors. All third parties with possession of or access to personal customer and employee information should be listed, along withkey contacts.
5. Inventory of information; including:
- data location lists;
- third-party vendor contracts;
- information security policy.
6. State law compliance matrix. A chart should be prepared showing each state's reporting and notification requirements, along with the point of contact.
7. Maintenance of attorney-client privilege in regard to the data breach investigation materials and communications
8. Checklist in response to an apparent data breach:
- Alert response team.
- Initiate measures to prevent the further disclosure of personal information.
- Conduct an IT forensic investigation to gather evidence and determine the source of the data breach, the means by which it occurred and the infor-mation involved.
- Secure relevant physical and electronic records relating to the breach and investigation.
- Determine government agencies to which prompt reporting must be provided.
- Establish a timeline for compliance with government reporting as well as consumer/employee notification requirements.
- Develop text of government agency reports, which may vary in different states.
- Develop text of consumer/employee notification, which may also vary dependent on state laws.
- Prepare a media statement and designate a company spokesperson.
- Notify law enforcement authorities if criminal conduct is suspected.
- Track consumer/employee responses to notification and confirm that all inquiries have been answered.
- Determine appropriate mitigation measures to assist consumers and employees in connection with the unauthorized release of their confidential information.
In the absence of a carefully developed data breach response plan, retailers are likely to be halting in their response and uncertain as to which individuals within their organization should assume responsibility for the various technical, investigative, legal and communicative tasks, which must be completed on an expedited basis. A botched response to a data breach may carry much graver consequences than the breach itself.