In the wake of recent mega data breaches, it comes as no surprise that companies are working harder than ever to prepare for an inevitable data breach incident. Enterprises of all shapes and sizes from every industry are becoming more aware to the threat of a data breach. As a result, many are taking steps to proactively assemble a data breach response team, combining internal stakeholders and external resources, so that they can be prepared in the event that they experience a breach.
Despite the media coverage of breach events, little information is available to guide organizations through the process of vetting and retaining breach response team members. And the issue has become only more complicated as more and more players have entered the arena, each claiming to have an expertise in breach response. Wait until an issue happens, however, and companies may find themselves in the unfortunate position of enlisting whoever is available, easiest (or lowest costing) to retain versus best for the job, which can lead to disastrous results for both the breached company and those whose information has been breached. Assembling a breach response team in advance of an incident allows entities to thoughtfully and thoroughly vet candidates and ensure retention of the best qualified team for the entity's unique needs.
Practice Makes Perfect
Proactive retention of a breach response team provides the entity with the opportunity to engage in practice runs and fire drills to rehearse their response to a breach incident, which can help to identify communication, technical or other snags before a breach ever happens. Thorough preparation for a breach incident can lead to faster reaction, better coordination and efficiencies, and lower costs should a breach occurs.
Breach Response Team Members
A breach response team should consist of a cross-section of company personnel, including legal, privacy/compliance, IT, information security and other relevant stakeholders from the company's various business units. External members should include outside privacy counsel, computer forensic specialists, and a crisis management firm.
Entities should require all potential external team members to demonstrate their prior experience in handling breach incidents and their ability to scale if a breach turns out to be larger than originally thought. They also should be able to handle breaches with ramifications outside the United States.
Selection of Outside Privacy Counsel
Identifying and vetting external privacy counsel before a data breach occurs should be an element of every security incident response plan. Outside privacy counsel plays such an important role that counsel is often referred to as the "breach coach." Given the critical and central role they fill, the importance of selecting the right breach coach cannot be overstated.
An appropriate breach coach will have a strong and demonstrated background in supporting different types of data breaches. He must have well-rounded knowledge of the breach life cycle from start to finish including the investigation process, breach laws and regulations, notification procedures, regulatory requirements and consumer expectations of the breached company. In addition, a good breach coach will have extensive experience and good working relationships with forensic and crisis management firms.
It is also highly recommended to seek out a breach coach who has established relationships with government stakeholders and regulators. A breach coach with a solid reputation for engaging cooperatively and collaboratively with state attorneys general and federal regulators right from the start is more likely to achieve favorable outcomes for the organization in the aftermath of a security incident.
Michael Bruemmer, vice president, Experian Data Breach Resolution, says that there are several important characteristics that must be considered when selecting a breach coach: "A good legal partner should have experience that goes beyond simply helping with formal legal notification. They should be able to serve as an overall breach coach with a strong understanding of what's needed from the technical investigations, as well as the potential implications of legal decisions on trust and reputation. One effective approach when vetting a legal partner is simply to inquire about their experience and approach working with forensic investigations and public relations firms. Counsel should also be able to provide insights about the latest developments in case law, which should inform all decision-making throughout the process."
Choosing the right forensics firm
Many breaches will require the assistance of a computer forensics firm to identify the cause, timing and scope of the data breach. They should be highly trained, technical professionals who have a demonstrated history of handling a wide range of sophisticated data security incidents. Problems may arise, however, if the forensic specialist is unable to communicate effectively with the organization.
Bruemmer recommends that they have the ability to clearly translate the enterprise risk implications of a data breach into language that the organization's decision-makers can understand. "Often critical information can be lost in translation between the technical team and executive teams, which can lead to confusion and less than ideal decision making. Organizations will be looking for candidates who have demonstrated that they understand that a breach is not just a security issue but also has a potential impact on reputation."
"To effectively contain and investigate a data breach requires a broad set of technical skills including the ability to collect evidence, reverse engineer malware and quickly remediate threats on existing systems," said Erin Nealy Cox, executive managing director of incident response firm Stroz Friedberg. "When identifying potential forensics partners, experience is key. Organizations need to consider the scope and breadth of a firm's incident response experience as well as whether they have industry-specific expertise. They should also ensure the firm has the scale and global reach necessary to act quickly in the event of a breach."
Retaining an appropriate crisis management
How an organization publicly responds to a breach incident can make all the difference when it comes to regulatory and legal liability and the organization's reputation. The costs of a breach often extend beyond legal damages and regulatory/industry fines. Organizations can lose customers and experience sharp declines in share price. And no company wants their corporate name to become synonymous with "data breach."
The right crisis management company will understand the profound effect that a data breach can have on any enterprise. Bruemmer advises that a crisis management firm "should have a strong understanding of data breach processes and experience in crisis communications with both traditional and social media channels. While any PR partner could have the best intentions, if they don't understand all the steps of the data breach response process, they might suggest a strategy that leads to public statements that can land the client organization in hot water."
"It is important that a crisis communications team is intimately involved in all aspects of data breach planning and preparation," said David Chamberlin, executive vice president and head of the data privacy and security group at Edelman. "This is an issue that affects the trust stakeholders have in a company. Integrating communications helps the company lessen the reputational and bottom-line damage a company will experience during and following a data security incident."
Since identifying appropriate breach experts is a relatively new task for many companies, consider starting with a key expert such as outside legal counsel or a cyber insurer to obtain referrals for breach response team members. Also, explore the growing number of data breach and cybersecurity trade shows and conferences to network with and vet breach coaches, forensic firms and crisis management specialists. Lastly, when the full breach response team is assembled, remember to practice the response plan with all team members to ensure that everyone understands their roles and can work together as an effective team.
Judy Selby and Lynn Sessions are both partners at BakerHostetler.