New York Law Journal
Data Breach Response: Testing and Preparation Are Key
Elizabeth Lampert and Lara Cupit, New York Law Journal
May 8, 2017
Today, cyber breaches have become increasingly common and are no longer limited to credit card companies or retailers. Businesses such as law firms, financial institutions, and health care organizations that house highly sensitive data are now also at great risk of a data breach. Because of this rapidly increasing risk, it is becoming more important than ever to have a comprehensive plan that has been thoroughly tested.
It is not enough only to have a plan in place. Simulation exercises that test the plan and the ability of staff to execute that plan can help to keep panic at bay should a breach occur. This kind of preparation can also help to minimize damage to the company and its clients or customers, and it can also assist in terms of investigations or litigation that often follow a data breach, as it demonstrates that company has taken the appropriate steps to prepare for a breach in addition to working to avoid infringement.
Your Response Team
As with any crisis response team, a data breach response team should have on it the key people within the organization that will each play a distinct role. Each member of the response team should be involved in not only putting the plan together but also testing it and updating as necessary.
The CIO will play an instrumental role in not only managing efforts to protect data and avoid a breach, but they will also be a critical component in the development of the response plan, testing that plan and implementing the plan in the case of a breach. The executive team, including the CEO and CFO, should also play a major part in developing and testing the response plan. A member of the executive team will likely serve as the spokesperson in the case of a breach as well.
A PR director and any outside PR representation are important parts of the response team as well as they will craft the message points and statement, field all media inquiries and coordinate with the spokesperson. It is also important to include the Director of HR, as employees will need to be notified appropriately, and there is a high risk of exposing employee data with a data breach. Of course, you include the Firm GC. They are and have to be running the show to a very large extent
In Crisis, What Needs to Be Done?
When a crisis hits, you want to be sure your position and key messages are airtight based on the facts you have at the time. Be prepared with a brief statement that includes a summary of the problem and how you are responding to it, with an emphasis on empathy, as appropriate.
Next, make a decision: Can you use the media to your advantage in this situation? The relationships you have carefully cultivated with media are critical to success. Depending on the history and duration of your relationship, an off-the-record conversation may be valuable, but handle with care, as always. And remember, it is important to keep a media call log of both incoming and outgoing calls.
On your intranet, do you have the makings of a crisis page and do all parties know how to access it? Immediately build a crisis page that includes need-to-know information about the situation. Alert your employees to it. The page could have security controls, so there are different levels of content and permissions that you will manage. For example, spokespersons have access to everything, partners have access to other things and staff yet another layer of information. Establish a communications protocol where all personnel will forward any inquiries related to a crisis to the designated media representative on the response team.
What about your media lists? Do you have a list ready of the five reporters and editors who write about your firm on a consistent basis and who would likely call in a crisis? Include their full contact information on your intranet and update this as often as needed.
Also on your intranet, there should be a running list of logins/passwords for your social media accounts, and ensure that your core team has access to them.
If a crisis hits, set a call-in number and designate a meeting place for the team if a crisis occurs. Determine the best means to communicate and figure out a check-in schedule. Make sure all members' office, cell, and home phone numbers are listed.
Test Your Plan
Once your response team is in place, and you have the necessary information on your intranet, it is important to test your data breach response plan. This means creating simulation exercises that run your response team through the plan in a variety of situations, from a minor breach to a much more serious incident.
When a crisis hits, it is time to triage the situation quickly, anticipate what will happen next and determine the interest level by the types of audiences that are impacted. Your team should get busy unearthing what is already in the public domain and assess the emotional tenor on a point scale, with "No uneasiness" being 1 and "full trepidation" being a 10.
Isolate the most critical issues—any interrelated business, reputation and legal elements that impact each other, as well as any ancillary issues that might stand alone.
Your simulation exercises should concentrate on the following areas, looking for any points that fall short of their required task or areas for improvement in each.
Internal Communication Process. Internal communication and testing to see how your team will communicate under the extreme pressure of the situation at hand will provide you information. It can tell you where there might be a breakdown in communication as well as how the information and process was flowing as the pressure was ramping upwards.
Look for the obvious: How well did the team follow the crisis plan? How did the front-end staff do with incoming calls? Were all inquiries forwarded to the designated party set fourth in your plan? Where all the right steps taking to mitigate any damages?
Media Relations. You'll have an opportunity during a simulation to see how well your team was able to craft a statement and key message points as the incident unfolded. When evaluating, look to see how long your team took to craft a response. How long did it take to triage and get approval for internal approvals? Before the scenario, did the media relations team:
• Prepare a list of the reporters who would likely call in a crisis?
• Know where to find contact information for all decision-making parties?
• Was social media login at their fingertips to post the approved statement to all social media, should that be an action you would take?
• Did the spokespeople stay on message points?
There are other legal decisions that the GC will inform on, and that the crisis response team should work through before a real breach hits. What did your general counsel suggest about notifying customers and clients?
Do you have cyber insurance? If so, what are you required to do under your policy?
Wash, Rinse, Repeat
A big part of running through your response plan is to test out the manner in which the firm will respond. A data breach response simulation isn't likely to be perfect the first time, even for a minor incident, so evaluation of the team's performance and implementation of any changes are important. This allows the team to improve on any areas of weakness and develop new policies or procedures if necessary and make any adjustments to the response team that would be beneficial.
Once the evaluation has occurred, and any necessary changes have been made, run through the simulation again. Making improvements and repetition will instill confidence. As you can see, being a member of the breach response team is serious business and avoiding a downward spiral is paramount.
Elizabeth Lampert is president and Lara Cupit is an account executive of Elizabeth Lampert PR.
No comments:
Post a Comment