3 Best Practices for Preparing a Defensible Breach Response Plan

This article is a reprint orginally published by Today's General Counsel here. Its author, Ray Pathak, is Exterro’s Vice President of Data Privacy Solutions and leads the company’s privacy solutions strategy. Ray has been involved in the privacy space for over 15 years as a privacy operations leader and privacy software business executive. Prior to joining Exterro, he led Nymity as COO, and led the Privacy and Information Security program for Target Canada.

The General Counsel's Role in Data Breach Response

Football teams understand that it’s hard to be a contender without an elite quarterback running their offense. A top-tier quarterback excels at real-time situational awareness, clear communication with key personnel, and making sound decisions that put the team in a position to win.

In a breach situation, the general counsel must serve as the primary signal-caller, ensuring that all of the legal facets of incident response are coordinated across a large and growing set of internal and external stakeholders.

The ACC’s 2021 Chief Legal Officers Survey found that “cybersecurity, compliance, and data privacy top the list as the most important issue areas for businesses rated by CLOs. However, this year for the first time, cybersecurity has overtaken compliance for the number one spot.”

Because the stakes are so high, the general counsel can no longer afford to be passive and react to data incidents and breaches as they happen. Instead, they must be proactively engaged in defining an incident response plan, training the staff to carry out the plan and coordinating the activity during the event. And they need to start now.

New Privacy Challenges for the General Counsel

Beyond navigating through evolving regulatory challenges, the general counsel must also grapple with today’s most pressing cyberthreat — ransomware, and the real possibility that a data breach will expose them to financial penalties for not taking proper care of their customer’s private information. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently ruled that the payment of a ransom might violate federal anti-terrorism laws. This means organizations may find themselves in an impossible position: Either pay up to save your data and risk criminal exposure or face expensive fines for violating data privacy laws.

And if that weren’t bad enough, criminals are getting more devious with their tactics. New threats are being deployed, such as “double extortion,” by which ransomware operators not only demand payment to decrypt files but also threaten to leak sensitive data as a means to exert additional pressure to extract payments. For general counsel, today’s threat landscape has become a veritable minefield of risk and liability.

Three Steps to Bolster Your Breach Response Posture

Although a comprehensive breach response will require an investment of time and resources, three key steps should be common to every practice.

1. Assess Your Breach Notification and Reporting Requirements.

Not all incidents are created equal. Reporting requirements can vary significantly according to jurisdiction, industry or size. The standards that regulators are setting to hold organizations to account vary significantly, yet there are no exceptions made based on an inability to keep pace. Throughout the response timeline, it is crucial that the general counsel will be able to manage the flow of information within the organization as well as with external stakeholders. This includes the regulators, the technical team dealing with the fallout and restoration of services, the privacy and legal teams, outside counsel, management, shareholder relations, and the board and key investors.

Of course, just because a breach has been mitigated, the general counsel’s job isn’t done. Ensuring the accurate and transparent flow of information is also essential post-breach. A baseline set of communication guidelines for business-critical and urgent communications should be established, including what can be communicated, the sequence of communications and how those communications should be delivered.

2. Build a Rapid Response and Notification Team.

Every minute counts when it comes to responding to a data breach in terms of mitigating the damage, as well as ensuring that each of the stakeholders fully understands its role and responsibilities. An incident response team should be cross-functional, with the roles and responsibilities of each team member clearly defined, and should include stakeholders from the C-suite and the board as well as from legal, operations, HR, PR/communications, engineering and so forth.

A modern response plan must also be defensible. It should, for instance, be able to demonstrate in the event of a breach how an attacker was able to establish and escalate administrative rights, or determine what jurisdictions are in play and what the decision process is to determine reportability in each jurisdiction. It’s also important to remember that it’s not enough to have a plan. Any good plan needs to be regularly tested and refined to ensure that what’s been mapped out on paper also works in a real-life situation.

3. Unify your Governance, Risk and Compliance Silos.

The data that a team needs to be effective in their response typically resides in departmental silos, hampering collaboration efforts that will ultimately delay a timely response. A unified legal governance, risk and compliance (GRC) strategy can help connect the people, processes and technologies needed to ensure compliance, reduce risk and optimize operations to meet the tight timelines required of these regulations. Those that have a unified legal GRC approach will have greater visibility into their data, will be able to better assess the impact that a breach will have on their organization, and will be able to manage the specific response tasks in a more holistic and efficient manner. Those that do not will be left with siloed approaches that misrepresent their risk exposure, and have the potential to fail compliance due to a lack of available information.

Although no amount of careful planning will guarantee that your organization won’t become a victim of a data breach, having a thorough and battle-tested plan in place will serve as a vital roadmap in the event that the unthinkable actually happens.