New Jersey Law Journal: Preparing for a Data Breach
Ranging from the mom-and-pop retailer to the middle market companies that cater to regional or national customers to billion-dollar enterprises with a global market presence, organizations of all sizes and industries can be targeted by bad actors and are susceptible to a data breach. Owners, directors, and managers of many small to midsize companies think that their organization is not on a bad actor’s radar—whether because of the size of the organization or the “benign” data they process—while leaders of billion-dollar companies may believe their organizations are more than adequately secured, sufficiently trained, and outfitted with the latest and greatest technology measures to ward off any attempts by bad actors to infiltrate their systems.
However, in our experience and as one might discover by conducting a quick search, the focus of preparing and planning for a data breach is not if—but when—a data breach occurs, whether your organization is a one-person shop or a multinational operation. While there are various articles, presentations, and literature on how to mitigate risks that may result in a data breach, most do not address the preparation and planning for such a breach. There are a multitude of steps to take in the planning and preparation to effectively respond to a data incident (or breach), and, at a minimum, organizations of any size should consider implementing the foregoing:
Organize
This is where the nuances between the size, industry, and resources of an organization matter and must be assessed. Middle market companies often have very lean in-house legal teams (if any), sometimes an army of one or two, without experience in the realm of data security and breach response. On the other hand, global enterprises with robust legal departments and divisions may not have in their ranks counsel with technical backgrounds or niche knowledge of the various (and growing) array of federal, state, and foreign privacy and security laws that may apply to their organization. As an industry and size agnostic means to assess and prepare for a data breach, legal teams for companies of all sizes need to organize and assemble selected personnel in information technology, compliance, human resources, finance, and management roles. Each department will have a unique or particularized perspective with respect to how a bad actor may target certain vulnerabilities, how a data breach could impact the organization technically, operationally, administratively, and financially, and what steps the organization must consider to mitigate the impact of such a breach. For middle market organizations with smaller departments and less personnel, this may mean working with a managed security service provider (MSSP) and outside breach counsel to assess legal and regulatory requirements and measures that are applicable to such organizations. This team approach to incident response planning is essential for that plan to be effective for the entity as a whole.
Review
Once these stakeholders have been identified, provided their perspective, and presented to the decision makers, it is imperative to review the variables involved in the adequate planning of a data breach. For example, it is important to ask the following:
- What industry regulations and standards apply to the organization?
- What state jurisdictions are at play?
- Where does the organization operate?
- Where are the organization’s customers?
- Where do employees reside?
- Has the organization adequately categorized, mapped and indexed the data collected, transmitted, stored, and retained by the organization?
- With respect to the latter, can the organization confirm that no data has been retained longer than what is permitted by the organization data retention policy?
- How does the organization store such data (e.g., hot site, warm site, cold site, etc.)?
- What is the organization’s attack surface?
- Are there organizational assets (e.g., servers) accessible via the internet that should be offline?
- Can company devices be wiped remotely?
- Has data been backed up, and if so, are those backups air gapped and have they been reviewed to confirm the data is good?
- Does the company have servers and/or laptops available or a source for the same if its equipment was compromised and the entity needed to rebuild its environment?
- What systems are critical to ongoing operations? Are there redundancies or alternatives were those systems unavailable?
All these interrelated questions cannot be answered by a single employee or department of any organization of any size or industry in isolation. Stakeholders will ideally gather and work as a team to prepare accordingly.
Plan and Train
Companies large and small should have a written incident response plan—a playbook—to guide the team through various scenarios, whether a ransomware attack, miswired funds, stolen devices or otherwise. The plan should include communication protocols which contemplate the outage of normal email or work phone connections. Key third party vendors should be included in the playbook, with points of contacts and each vendor’s role. These may include your insurance carrier, breach counsel, crisis communication firm, forensic resource, as well as banking relationships and critical system vendors. Contact information for clients and employees should be included, reviewed and updated periodically. The playbook should include the legal reporting mandates of the federal and state laws to which the organization is subject. Templates should be created for collecting information relevant to an incident and its response.
Just as fire evacuation plans are tested and drilled, the cyber incident response playbook should be tested with tabletop exercises. Walk though scenarios with your team and confirm the team is ready to move quickly if needed.
Be sure that all staff members know to whom and how to report a suspected incident, whether during work hours or over holiday weekends.
Incident response team members should have playbooks at work and at home, too, and do not store the plan on the computer where it may become inaccessible in a cyberattack.
Budget/Cost Presentation
Prepare and educate senior management as to the costs involved with a breach. Costs may include:
- Legal fees
- Forensic fees
- Crisis/PR communication fees
- Replacement equipment
- Dark web searches
- Ransom payments
- Credit monitoring services
- Regulatory fines
And of course, were litigation to ensue following a data breach, these costs can escalate. Prepare your management for the potential costs here and document the costs savings achieved from planning before an incident occurs.
Adapt
Your plan should be adaptable: as your business, personnel and vendors grow and change, your plan needs to account for growth and changing roles. These tools and testing should be reviewed and updated no less than annually.
Reprinted with permission from the November 27, 2024 issue of the New Jersey Law Journal. © 2024. ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.