Legal Teams: Transform your privacy incident response from chaos to best practice

The moment that someone in your organization discovers that customer information has been exposed, the legal clock starts.

Within very firm — and often very tight — timelines, you must:

• Determine the incident type (e.g., is it solely a privacy incident or also a security incident or data breach?).
• Gather and understand all the details surrounding the incident.
• Conduct a global regulatory analysis (or a 50-state analysis if your company only does business in the United States), comparing each incident detail with every single regulation that might apply.
• Compare incident details with your contractual obligations.
• Notify regulators, contract holders, and customers, as needed.

Privacy incident management can be stressful. For example, the General Data Protection Regulation (GDPR) allows only 72 hours to notify European Union regulators of a data breach. If you fail to meet that deadline, you face penalties of up to 4% of your global revenue. U.S. states and territories have varying notification timelines and requirements for that same incident.

If you process data for other companies, your contracts likely impose even shorter timelines. (We’ve seen contracts that stipulate immediate notification or deadlines of just a few hours) Your clients or partners must comply with the same regulations you do, since they collected the data from their customers (even though you experienced the breach). So, they build in time margins to ensure they can meet notification deadlines.

All these factors can add up to an ad hoc, chaotic process as your legal team scrambles to beat the clock.

Most incident response plans won’t help in these situations because they’re designed to provide a high-level, generalized approach, rather than actionable guidance for specific incidents. Here are five steps you can take to ensure you fulfill your regulatory and contractual obligations in a timely, well-organized manner.

Step 1: Organize your teams ahead of time

Determine what teams you need for different types of incidents, who should be on those teams, and what their responsibilities should be. 

Clearly, you need a security incident response or cybersecurity incident response team to address adversary attacks and security technology failures. Similarly, you may want an IT team involved for remediating other technology impacts or failures. You likely also need a communications team for drafting public announcements and responses. 

What’s more, you should plan to keep senior executives in the loop (at least) about highly-visible incidents like mega data breaches. The buck stops with them, so you may need them to talk publicly about an incident. Of course, you also need a privacy team of legal executives, typically including a general counsel, who will sift through all those contracts and regulations.

Step 2: Know your data and obligations

Your regulatory and contractual obligations stand at the center of your incident response, so you must understand them through and through, along with your data and its relationship to those obligations. 

We recommend creating a data map, which helps you understand:

• What types of data you have
• Where it’s located  
• Where it’s flowing
• Why you’re recording it 
• The kind of consent you have from different customers regarding data use 

Step 3: Practice, practice, practice

We recommend scheduling tabletops and simulations on a quarterly basis.

Your teams should practice for a number of possible incidents in tabletop exercises, where a scenario is presented and the team works through the incident together so that they have a good sense of what  to do if the incident actually happens. 

Step 4: Learn from experience

After an incident occurs, plan to schedule a “lessons learned” session to discuss ways to: (1) prevent such an incident from happening again, and (2) improve the incident response process.

Security and technology staff will likely focus more on the first area. Legal, communications, and senior executives will join in regarding the second including, e.g., how to respond more efficiently, so the company stays in compliance while also avoiding brand damage and retaining customer trust.

Step 5: Make playbooks for each type of incident

All the actions described above, including the tabletop exercises, become easier when you create playbooks for possible incidents. The key is to make each playbook actionable. With so many possible scenarios, many organizations adopt generic plans outlining general responsibilities and approaches, but that type of framework is just a starting point and won’t be of much use in a real event.

Each playbook must provide step-by-step actions — not just a framework. Be specific. For example, “When XYZ happens, team member ABC must notify cyber insurance provider JKL in less than 24 hours and send them updates every 12 hours.” 

Put together playbooks for every possible type of incident, following these general steps:

• Think about the most common scenarios your organization is likely to face: Would it be misdirected emails? Cybersecurity attacks? Ransomware?
• Consider the threats that other companies in your industry are experiencing
• Identify who will be needed on the response team for that scenario, and what parts of the process they’ll be involved with 

How BreachRx Can Help

The BreachRx platform includes playbook templates for various scenarios. During our white glove onboarding process, we tailor those templates to your business, working closely with you to establish:

• The teams involved in each scenario (some scenarios will only involve one team and others require an integrated team response)
• The business units that will supply members for each particular team
• Who is responsible for which tasks
• Specific timelines 
• Products or partners  to consider (e.g. cyber insurance)
• Regulations and contract clauses that apply to each type of incident 

We built the BreachRx platform with a flexible data schema that’s highly customizable. In contrast to other solutions that offer just one way of doing things you can easily adapt the BreachRx platform to your existing processes.

As a part of the white glove onboarding, we map the processes outlined in our templates to any internal incident response processes you may have already established.

As part of our white glove onboarding, we help you flag hidden risks. For example, customers commonly sign up for a cyber insurance policy but fail to understand the policy’s requirements. If you haven’t done the prep work to weave those cyber insurance requirements into your incident response plan and all your playbooks, you might not get covered, even though you’ve invested a lot of money in the policy.

After going through that initial onboarding, our clients are generally surprised at how easily they can do it all themselves. After set up, you can onboard a new contract or update a regulation in less than five minutes. It’s all very quick, simple, and intuitive. 

The automation built into the BreachRx platform allows your team to skip much of that stressful, “Can we make the deadline?” manual work they’ve been doing. When that happens, they go from sweating the details to executing your company’s obligations and response more swiftly, efficiently, and confidently than ever.