April 17, 2020
How Can I Help My Client Respond to a Data Incident?
by Katja Garvey, Kegler Brown Hill + Ritter
Terms like “ransomware” and “phishing” can be scary, but you and your clients do not have to be afraid - be prepared.
Data protection is increasingly top of mind for businesses. Many clients are afraid of data breaches, but not all incidents are breaches. Understanding the difference and having a plan can help both you and your clients through the otherwise challenging times that often arise when an incident occurs.
As a client’s trusted advisor, what do you do when your client calls, likely stressed out and concerned, because their customers’, employees’ or other personal data may be compromised?
While referring the client to a privacy professional is often the right thing to do to help mitigate harm and appropriately address obligations, below are five steps to help your client focus, gather relevant facts and manage the initial incident response, while demonstrating, once again, that you add value in all areas of their business.
1. Identify, Verify and Document the Incident
As lawyers, we all know getting a grip on what has happened is essential to resolving an issue. So, as an initial step, the team should find out what occurred. For example, was it an internal or external disclosure, from an inside or outside actor, an accident or a malicious attack and what type of data is at risk.
2. Contain and Mitigate
This step occurs simultaneously with step one. It should be obvious, but it is occasionally overlooked: stop the incident and prevent further compromise.
3. Implement or Create an Incident Response Plan + Assemble Incident Response Team
If your client has an incident response plan (IRP), initiate the first steps in accordance with the plan. If no IRP exists, assemble an appropriate internal and external incident response team. The internal team often consists of professionals on the executive, operations, IT, HR, finance and marketing teams, as needed. The team often includes an external privacy attorney and other experts, like forensic specialists.
The next steps are also critical and require very nuanced knowledge of federal and state law, as well as applicable global privacy laws, such as the EU General Data Protection Regulation.
4. Analyze Legal Obligations + Consider Whether and When to Notify Law Enforcement, Regulatory Authorities and Affected Individuals
The applicable laws and obligations may vary based not only on the organization, but also details related to the affected individuals and information.
5. Prepare + Execute a Notification Plan
Consider both the client’s legal and contractual obligations, as well as the client’s culture and reputation.
During this unprecedented pandemic, while working remotely, you may now have time to prepare. If you, or your clients, do not have an IRP, now may be a good time to get ready for the day the phone rings – the day you receive a client call with the urgent news of a data incident. Getting started may be as simple as preparing an outline for your reference. You could even reach out to clients to discuss putting together a specific IRP tailored to their needs, if appropriate.