To be sure, legal counsel is critical in any such analysis and response, and having legal counsel manage your breach response plan and team makes sense in a lot of ways. However, the reality is that data breach response management is often a marathon and not a sprint. You need lots of help along the race course. To do it the right way, it takes a team of experts in various disciplines coming alongside your company to shepherd you through the storm.
1. Leadership. Probably the most important element to a successful response is buy-in and support from executive leadership. If the boss does not make incident response a priority and does not mandate participation in the planning and execution of a plan, the race is lost before it is run. Such leadership by example can be the CEO simply serving on the incident response team. Without a doubt, any decision making on such a team better involve the boss. But, beyond that, a company leader can set a tone for sound data governance well before the breach by designating a privacy or security officer, ordering an enterprise risk assessment, and tasking someone to develop the administrative, technical and physical controls to ensure sensitive information is used properly within the enterprise (and help you determine the scope of a breach quickly WHEN the time comes).
2. Legal. Yes, you really need to have legal counsel engaged from the beginning, and I mean in the planning stages before you even sniff an event. In truth, having legal assistance in assessing your existing data governance plan, identifying gaps and implementing remedies to fill those gaps is critical to success. Indeed, you hope you never get to court nor in the cross-hairs of a regulator, but you must plan like you will. Properly determining whether you even have a "breach" (as defined by one of 47 state laws or in other regulations) can mean all the difference in whether you survive or not. This is where experienced legal counsel can provide great value and direction, not to mention providing the benefits of attorney-client privilege.
3. Public Relations/Crisis Management. Eventually, you will have to tell your story to the media, to customers, and to your employees. This is as much an art as a science, and having a trained professional available to develop, execute and manage that strategy can never be overvalued. And, as it is a marathon, that story needs to be timely all the while being accurate and transparent. Indeed, the telling of your breach story can often do more damage than the breach itself. The coordination between your legal counsel and your public relations expert is critical to a successful implementation of your response plan. Doing it poorly can undo all the work you have done to quickly remedy the actual breach and mitigate any harms.
4. Information Security and Forensics. Company IT folks can do amazing things, often with not nearly enough people or time. Indeed, many companies try and shoe-horn their existing IT staff into security roles as well. In reality, maintaining and operating an information system is not necessarily the same as securing that system. It is most definitely not the same as being able to thoroughly examine parts of that information system for illegal access or exfiltration of data. No, trained forensic experts are often needed to help the team make educated decisions on the scope of any incident and what, if any, affirmative duties exist. Taking time in advance of a breach to identify one or two partners to be available to assist your incident response team in this capacity can be time wisely invested.
5. Operations. If you are going to have to execute a full response, including issuing notice in multiple jurisdictions, you will need help to get the mailings out, manage the call center, and follow up on customer questions and issues. Could you task your own people? Yes, possibly. And, to be sure, you should involve operations management to keep them in the loop as the response impacts day-to-day business resources. But, if this goes on for months and months, you need those operations people to still make widgets and keep your business running. Therefore, all the more reason to consider the inclusion of a third party service provider that can take care of all this for you, and work at the direction of your incident response team and let you keep making your widgets.
6. Insurance. Now, I know you have been probably trying to total up a bill in your head for such a diverse and experienced team as described above. I do not blame you. Data breach response management can be costly. It is hard to anticipate the costs, especially for an extended response. So, as we will discuss in June, I always recommend clients add cyber insurance to their data breach response and risk management tool box. Any data breach brings out the lawsuits. Even if successfully dismissed, these cases take time and money. But insurance should also be considered as policies are now providing your company many valuable services, including bringing in many of the resources and team members listed above. The available coverage has evolved considerably to meet your company wherever it is on the size and risk spectrum.
As with any post, I could go on and on. These are but a few of the key players you should consider to comprise your incident response team. The nuances or complexity of your business might require more, but rarely less. Take some time to consider who should be on your team. Just be careful of the whole "too many chefs" thing, yada yada yada, and you have a bad bowl of soup.