Data Breach Response: The importance of an incident response plan

Mike Tyson once said that everyone has a plan until they get hit. Plans are still important. Without a plan, you have worse problems. With a plan, you have a better chance to pick yourself up, dust yourself down, and get back in the race. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews why the best response after a data breach often starts with the incident response plan prepared before the breach.

The reason why

An incident response plan is both a sword and a shield.

A good incident response plan will adopt a coherent framework with key critical information and process to enable a swift and effective response to an incident. Who do you need to contact internally? It’s in the plan. How do you reach them? It’s in the plan. What initial information do you need to find out? It’s in the plan. What first steps should you consider? It’s in the plan. If this framework, guidance and information is at hand before an incident occurs, then it will minimize the chance of a panicked response to an incident and mitigate the risk of damaging mistakes in handling the response.

The defensive reason for an effective incident response plan is that any subsequent investigation or litigation will focus on the extent of preparation and readiness of the business for the incident. The absence of an incident response plan is an indication that no management forethought or planning was given to the risk of a serious incident. This will be a negative factor in assessing the responsibility or liability of the business for the incident and the loss and consequences arising from it.

Incidents and breaches

One of the key benefits of an incident report plan is its framework that helps to identify and assess incidents. That process then dictates the nature, scale and extent of the response. Part of this process is to categorise activity into one of four categories:

Event: An event is activity that is normal and within expected security protocols and processes. So, for instance, an event will occur if your firewall appropriately responds to and repels a penetration attempt.

Incident: An incident will occur if an event does not follow security protocols or processes, and gives rise to a risk of exposure of data or unauthorized access to data. The exposure or access may not actually occur; however, the incident has occurred and is logged, assessed and responded to. So, all incidents are events, but not all incidents are breaches.

Breach: A breach occurs when there is unauthorized access to, or loss of, data from IT systems. This is a more serious incident.

Notifiable breach: A notifiable breach is a data breach that meets the legal or regulatory thresholds that require a formal notification of the breach to authorities, regulatory bodies or data subjects. This is a different standard again. Not all breaches will trigger a notification obligation.

An incident report plan will include a system and framework to report and assess all incidents, with different actions triggered according to the outcome once that triage has been performed.

Purpose of an incident report plan

The purpose of an incident report plan is to establish a framework to:

• prepare an plan for readiness in advance of an incident, including establishing an incident response team.
   
• log and report incidents, including how to gather meaningful and reliable information for those reports.
   
• assess and triage incidents, including the factors to consider in making that assessment.
   
• respond to incidents in a swift, proportionate and measured way, focusing on remedial priorities.
   
• review and learn from incidents and responses to incidents for continuous learning and improvement of IT security.

Three key elements

The incident response plan will cover quite a lot of ground, but here are some important elements that are core to the usefulness and success of an incident response plan.

1. Senior management endorsement: The incident response plan must be approved and endorsed by senior management. The plan is not a merely operational matter. If a serious incident occurs, senior management – right to the CEO – will be involved. Senior management should not be running a playbook to respond to a serious incident that has not been reviewed, approved and endorsed by senior management in the first place. Senior management will be responsible and held accountable for the response to a serious incident. Their responsibility starts with the plan itself.
    
2. Incident response team: The incident response plan will identify the key persons who will be actively involved in an incident response, and also stakeholders who will be involved or consulted (even if not actively involved). Roles and responsibilities should be assigned in the plan. Also, their emergency contact information should be included in an appropriately secure and confidential manner. The incident response team should also include external experts or legal counsel who may need to be involved. The team members and stakeholders will be different according to the nature of the incident, and those factors should be reflected in the incident response plan.
    
3. Step plans: The incident response plan will have step plans and action flows to provide guidance on the sequence of steps to take when an incident occurs. This need not be prescriptive. Each incident will be different, and may require a specific response. It is not possible to write down and account for a wide range of actions for a wide range of incidents. However, a good incident response plan will indicate the common immediate steps to take to lead to an appropriate early assessment of the incident.

Some common mistakes

Here are some common mistakes in preparing incident response plans:

Using work contact information as emergency contact information: The emergency contact information will necessarily involve using the personal contact information of incident response team members. This is because business contact information may itself be compromised in a serious incident. For instance, a work email address is not sufficient emergency contact information. Work emails may be compromised as a result of the incident.

Availability of the incident response plan: The incident response plan should be stored in a separate location that is known to those in the incident response team, and that is segregated from the IT system. This is to ensure that the incident response plan is readily available if an incident occurs, even if the availability of the IT system itself is compromised.

Not engaging external advisers before an incident: External advisers may be an integral part of the incident response team. Technical experts may be needed to assess the cause of the incident, stop any aggravation of the issues, and begin remedial work. Legal advisers may be needed for advice on potential liability, breach notifications and regulatory reporting. External advisers need time to go through client and customer onboarding processes. This should be completed as part of the preparation, adoption and implementation of the incident response plan.

Closing thoughts

The ubiquity of data breaches now means that each business knows that a breach will happen to them. It is not a question of if, but of when. That alone clarifies and simplifies the management need.

Preparation is key. Events rarely unfold according to plans, but the process of planning is itself preparation. It educates and socializes key people with key issues, and supports their readiness to respond with confidence when an incident happens.

We, at Tanner De Witt, believe every business must have an incident response plan. This is the case regardless of the size or complexity of the business. If a business has not given forethought to incident response, then its response will be an afterthought, and that form of hindsight will be punished. However, with forethought, then it is more likely that the consequences of an incident will be less, and the recovery swifter. It might be a punch in the face, but you won’t be knocked out – you’ll be back into the race.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.