Every incident response plan should be written and approved at the highest level in the organization. Incident response planning is not strictly an IT issue; a business’s data is as important to the capital value and revenue potential of the company as its physical offices or manufacturing facilities, and often more so.
Categorize stakeholders as “responsible,” “accountable,” “consultative” or “informed.” The plan should describe the business’ data breach response team with an allocation of roles for investigating, mitigating and informing necessary parties about any cybersecurity incident. The team should regularly assess and document the effectiveness of the plan and make required updates as security incidents become more sophisticated. A dusty plan sitting in a desk doesn’t work; continuous revisions are essential.
Know What’s Required After a Breach
When a breach is detected and the response plan is invoked, moving quickly is critical to managing the implications to the company brand and financials.
Stopping the breach is, of course, the first order of business. When that’s done, analyze the scope of the incident, the type of data involved and the affected individuals so that the business can manage the post-incident repercussions. Management and corporate relations — not the IT staff — should assess communications outside the company. Have the legal department (or outside counsel) assess the statutory duties to inform affected individuals, insurance carriers and state or federal officials.
All 50 states and the District of Columbia require notification on some level, depending on the type and extent of the affected data. And federal laws such as the Gramm-Leach-Bliley Act require notification of data breaches for specific types of financial data. Businesses that operate internationally must consider whether the overarching provisions of Europe’s General Data Protection Regulation apply. And don’t forget to check the business’ own privacy policies and contractual commitments, which may require a higher duty than the relevant laws.
Whatever the particular legal requirements, it’s almost always best when news of a breach comes from the company rather than being leaked. Some companies have attempted to hide data breaches that later became public.
The result is always negative for their reputation and brand value.
However, the details you must disclose after a data breach depend on a combination of legal and contractual requirements, including the types of data breached, the extent of the breach and the source of the breached data. A best practice is to have a template letter that the business’ legal counsel can adapt as part of its incident response plan. The template should include the date of the notice, the entity notifying the affected individual, contact information for questions, a brief description of the incident, the date of the breach (as best as the business can tell), the types of data breached, the organization’s efforts to contain the breach and prevent similar future breaches, and contact information for the applicable credit reporting and government resources (if necessary). The letter comes from the highest position within the company, as the official voice of the company, in responding.
To Pay or Not to Pay
Should a business that is victimized by a ransomware attack pay the ransom? It’s a complicated question.
The FBI recommends not paying in almost all cases. But it is not their company at risk, and there have been many cases where a company’s management decided to pay ransom in hopes of receiving a promised encryption key to unlock their data and contain the incident. Certainly, there is no guarantee that the threat actor will supply the encryption key once paid. And the malware may damage the data, making it unusable even with the encryption key.
But these types of decisions are strictly business decisions — not for lawyers or authorities — and the decision-makers are ultimately responsible to their investors and other stakeholders for this type of cybersecurity incident, as they are for every other major corporate decision.