Data Breach Response: The role of the incident response team

There is no “i” in “team,” but there is I.T. in the incident response team to a data breach. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt looks at the key people involved in the incident response team.

The core team

The core members of the incident response team will be involved in all security incidents and data breaches. This can be distinguished from other persons who may be pulled into an incident response either because of the type of security incident or to perform isolated specific tasks.

The key members of the core incident response team are:

Information security team. The infosec team will focus on the downstream issues and consequences of the security incident. This will be an almost exclusive focus. The incident response plan should make clear that the primary role of the infosec team is to identify, contain and resolve the security incident. This inevitably means that the infosec team will have limited involvement in upstream communications to executive management or externally to regulators, customers or other stakeholders.

Frequently, in the course of the incident response, the infosec team be separated physically from other members of the incident response team. The infosec team may be in a separate “war room” with limited rights of access by others. This is important so that the infosec team can retain its exclusive focus on downstream issues.

The incident response plan will address the resources needed by the infosec team to effectively respond to a serious security incident. The incident response plan should foreshadow that the infosec team will need stand-alone, separate systems that do not rely on or automatically access the systems under attack.

The incident response plan will also outline how reports and information will be provided by the leader of the infosec team. Management should anticipate that the infosec team will not be available to respond to ad hoc queries or be pulled into ad hoc meetings.

The infosec team must ensure it preserves forensic evidence of each stage of the response to the security incident so that these records can be reviewed in any subsequent investigation. This may require engaging and involving external technical experts.

Legal team. The legal team may be a combination of internal legal and external legal.

External legal counsel should be involved as soon as possible after a serious security incident is identified. This involvement can help to ensure that sensitive communications provided to external legal counsel for advice will be protected by legal professional privilege. The incident response plan should require management to engage external legal counsel in anticipation of a security incident. This allows the law firm to conclude its client engagement and onboarding procedures beforehand. Then, the law firm can be immediately ready and able to respond upon instructions when a security incident occurs.

The primary role of the legal team is to advise on legal issues and legal obligations requirements from the security incident. One of the immediate and important legal assessments is whether a mandatory personal data breach notification is required. This is a technical legal issue. Management should not decide to make a mandatory notification without the involvement of the legal team. If mandatory notification is necessary, then the legal team will advise on who the notification should be made to, and what the notification should contain.

The legal team will also advise the infosec team to preserve communications and records to a forensic standard for further review later. The legal team will stress that the business must ensure evidence is not lost, destroyed, or tampered with.

The legal team will review regulations that apply to the business to assess whether any other notices should be given to industry regulators or financial institutions.

The legal team will review important commercial contracts to assess whether there are any contractual notification or other requirements under those contracts in the context of the security incident. For instance, the legal team will assess whether the security incident will give other contracting parties the right to terminate the contract and claim damages.

The legal team will also be involved in other public communications to ensure management does not breach applicable laws or regulations or increase other legal risks.

The legal team will also assist management in any notification needed for insurers.

Public relations team. A serious security incident or data breach can have a profound adverse impact on the reputation of the business. Frequently, management will engage public relations experts to advise on and help manage the public response to a security incident.

The incident response plan should provide that public relations consultants are engaged before a security incident occurs. This allows management to undertake a proper selection process of the appropriate consultants. The critical factor will be the experience of the consultants in crisis situations that involve data breaches. There are particular tensions and acute sensitivities that arise in data breaches that are not necessarily present in other crisis management situations. Management will wish the public relations consultants to advise in a way that is aligned to the culture and values of the business.

The ancillary team

There are other members who are important in an incident response plan, but do not need to be actively and always involved. These include:

The CEO. The CEO is the person who will be the most important public face of the business in relation to the security incident. The CEO will directly deliver critical public announcements. The CEO will be the person identified as having primary responsibility for mandatory breach reporting to regulators. Employees and other stakeholders will look to the CEO for leadership and direction. The CEO should actively reaffirm the corporate values and culture of the business as the security incident unfolds.

Human resources. Businesses act and respond through people. There must be a good, calming, and consistent message to employees so that employees are aware of the security incident, and their role is in responding to it. The message should be clear and transparent, containing the accurate information necessary for employees to be informed and able to respond.

Finance. The cost of a security incident can be significant, unbudgeted and immediate. The finance team needs to be briefed and authorised to promptly release funds and resources needed to effectively respond to a security incident.

Executive management. The incident response plan should clearly identify a person in senior executive management tasked with the responsibility to coordinate the incident response and lead the incident response team. This person should be given the authority to make critical decisions in the security incident. He should be comprehensively trained so that he is equipped to work systematically and transparently when a security incident occurs.

Customer relations. Customers will be nervous when a security incident or data breach is publicly notified. The customer relations team must be briefed with clear, consistent and accurate information so that they can provide the information that customers will need to respond and protect themselves from any consequences of the security incident. If the business establishes a customer hotline, then the systems and resources deployed must be sufficient to meet the anticipated volume of customer calls or communications, and the customer relations team must be adequately staffed to meet those queries.

Closing thoughts

In incident response team does not happen by itself. Like all good teams, the incident response team will be selected with careful planning, properly resourced, and fully-trained before going into action. If these key ingredients are in place – people, plans, resources, training – when a security incident happens, the incident response team will be primed and ready to respond and react effectively and in alignment with the corporate culture and values of the business.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.