Key Questions to Ask When Preparing a Data Breach Response Plan (Part I)

As many companies have learned first-hand, data breaches and security incidents can arise at any time, and when they do, they can quickly consume an organization. Although companies often don’t get advance warning before a data breach occurs, you can better equip your organization to respond to the myriad of issues arising in the wake of a data breach with some thoughtful advance planning. One of the most important steps: develop a breach response plan.

Well drafted security breach response plans provide a playbook for an organization to follow when it learns of an actual or suspected security incident or data breach. Among the elements it should include:

Response team members and contact information
Procedures for analyzing and containing a potential data security breach
Communication plan that considers all the organization’s stakeholders (customers, vendors, shareholders, regulators)
Plan for notifying affected individuals
Remediation measures to be taken following a data security breach
External resources (legal, communications, IT security/forensics, and credit monitoring service providers)
Credit bureau information
Insurance information (if any)

In preparing a security breach response plan, your organization should ask a wide range of questions about its operations to help craft a plan that covers as many of the potential issues and scenarios as possible while tailoring the procedures used in the wake of an incident to the organization’s culture, business, regulatory landscape, customer philosophy and risk tolerance. We’ll start with a couple questions here, to be continued in additional posts:

What kind of personal information do we collect and from whom?

Personal information comes in all shapes and sizes and includes any information relating to an identified or identifiable person (employees, consumers, patients, etc.). Examples of personal information include: a person’s name, physical address, phone number, e-mail address, social security number, credit card numbers, driver’s license numbers, passport numbers, other ID numbers (whether generated by the organization or not), date of birth, savings account, checking account, insurance policy or other health account or financial account number or information, security codes, PIN, passwords, health or disability information, employee background checks, including credit reports, and any records that are derived from this information that relate to an identified or identifiable consumer

When preparing a response plan, it is critical to identify the various types of personal information collected by the organization and from whom it is collected. In undertaking this analysis, don’t forget to look at the personal information collected from employees as well as external audiences.

With this information in hand, you can then determine where the information is stored, in what form it is collected and retained (physical, electronic, etc.), who can access it, how long it is retained and how it is secured.

Which third parties collect, access or use our personal information?

A security breach plan should not only address incidents or breaches that occur internally, but should also plan for breaches involving third party vendors who are involved in the collection, use and storage of the organization’s personal information. Some obvious third parties include cloud storage vendors, data center providers, physical records storage vendors and third parties that provide processing, analytics and other data-focused services.

In addition to vendors with a significant role in handling personal information, there are many other third parties that, although easy to overlook, are just as important to identify. For example, an organization should identify consultants, contractors and vendors who have access to company systems (even if they are providing seemingly unrelated services like marketing, graphic design, accounting or legal services). Likewise, the list should include any vendors who have access to physical infrastructure used to collect, store or process data, including vendors who service systems and other computer hardware or vendors who supply and service mobile devices, tablets, medical equipment or other similar systems (even HVAC systems).

In each case, the organization should ensure it has appropriate contractual safeguards in place with each vendor to protect the information as well as clear requirements that the vendor notify the organization if it detects or suspects a breach involving or related to the information.

We’ll follow up with some additional questions to ask on the topic in upcoming posts.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.