The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Incident Response Plans

  • From Vol. 4 No.38 (Nov. 14, 2018)

    A Roadmap to Preparing for and Managing a Cyber Investigation

    A successful cyber investigation starts before an incident with creating an effective incident response plan and fostering strong relationships between legal and information security teams to set the foundation for tackling the challenges that arise once an investigation has begun. In this guide, we provide a roadmap to help companies ensure they take a successful approach to preparing for and managing a cyber investigation. See “Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios” (Jun. 20, 2018) and “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part Two of Two)

    After a vulnerability that allowed hackers to access the sensitive personal data of an estimated 145.5 million individuals, Equifax is now facing numerous class actions along with multiple regulatory actions and investigations. “The facts as we see them raise the question of how well and whether Equifax tested the mega-breach scenario,” Mintz Levin partner Cynthia Larose told The Cybersecurity Law Report. In this second installment of our two-part series on incident response lessons from Equifax’s fallout, we provide experts’ top ten tips on ensuring a plan is efficient and effective. We also address the roles and responsibilities of key incident response stakeholders. In part one, we looked at Equifax’s mistakes and heard from experts on essential components of incident response planning and how to bolster those plans. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part One of Two)

    While it is now fairly common practice for organizations to have a formalized incident response plan, many organizations fail to test those plans, leaving them susceptible to unanticipated problems. Credit reporting agency Equifax learned this lesson the hard way when it was hit by a cyber attack that exposed the addresses, Social Security numbers and financial information of 143 million customers. The breach has also led to over 20 class actions filed to date, at least one AG action filed thus far (with pending investigations by other AG offices and the FTC), and the departures of the CSO, CIO and the CEO. Other companies can learn from this fallout. In this first installment of our two-part series on incident response lessons from Equifax, we hear from experts on key components of incident response planning and how to bolster those plans by learning from Equifax’s mistakes. Part two will provide expert tips on ensuring an incident response plan is efficient and effective and will address key stakeholders and their roles and responsibilities. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part Two of Two)

    Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)

    Every cyber incident does not result in a far-reaching compromise or disclosure of personal or confidential information, but even a small incident can erupt into a major high-profile cyber event depending on whether and how it becomes public. The publicity surrounding these events can render them more serious than just the technical problem itself and raises the stakes on how companies respond. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers, experts told us. This first installment of our two-part series on breach communication plans discusses identifying key stakeholders and their roles, key playbook components and the benefits of advance planning, and offers advice on how to approach internal communications during a cyber crisis event. Part two will cover how to control and coordinate with a third-party vendor, strategies for handling external communications to the media, regulators and other stakeholders, and how to overcome common pitfalls and challenges. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Reacting Quickly With a Nimble Incident Response Plan

    With constantly evolving cyber threats, a flexible response plan is crucial to direct the quick action that should follow a data security incident. Kim Peretti, co-chair of Alston & Bird’s cybersecurity preparedness and response team, discussed with The Cybersecurity Law Report ways to ensure a company is ready to effectively react in real time to whatever attack it is facing. This includes recognizing various plan triggers and clearly outlining responsibilities. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Data Preservation and Collection During a Government Data Breach Investigation 

    When a government is investigating a data breach, the affected company must trigger its incident response plan – and it must know when and how to preserve and collect relevant data. A recent PLI program offered insights on incident response plans as well as best practices for the legal hold process, data collection and communicating with regulators. The panel featured outside attorneys and accountants as well as in-house experts from Hilltop Securities Inc., JPMorgan Chase & Co. and UBS AG. See also “Top Private Practitioners and Public Officials Detail Hot Topics in Cybersecurity and Best Practices for Government Investigations” (May 6, 2015).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Strategies for In-House Counsel Responsible for Privacy and Data Security 

    Preparing for, preventing and responding to privacy and data security litigation are crucial aspects of the in-house attorney function. Key responsibilities for the role will often include developing training programs and privacy policies, working with the board, choosing the right outside counsel and effectively coordinating with them during major events. As part of a recent Practising Law Institute conference, a panel of in-house and outside attorneys from Greenberg Traurig, Glassdoor, Inc., Activision Blizzard and Pandora Media, Inc., discussed successful approaches to these tasks, as well as lessons learned from mistakes. See “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)” (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Key Strategies to Manage the First 72 Hours Following an Incident

    As soon as a company has identified an incident, things suddenly start to move fast and the situation can spiral out of control. Questions need to be answered. Is it a breach? What is the next step? Mishandling that first 72 hours after an incident is detected may have significant ramifications for the company’s bottom line. At the recent IAPP Practical Privacy Series conference, Seth Harrington, a partner at Ropes & Gray, and Brian Lapidus, Kroll’s managing director of identity theft and breach notification, covered the most important actions to take and the mistakes that could be made during this crucial time period. See also “How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach” (Jun. 22, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program

    The end of the year is often when companies evaluate their budgets, and it is a crucial time to make sure the CEO is educated about data privacy legislation and its potential repercussions. So, how can privacy officers best advocate for system-wide buy-in and budget support of their data privacy programs? At a recent panel at IAPP’s Practical Privacy Series 2016 conference, compliance leaders from Shire, CBRE and InterSystems discussed their three different operational approaches and practical tactics for making sure the compliance office has the tools and the budget it needs to comply with dynamic global data privacy regulations, including the GDPR. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Learning From Experience: Five Actions to Take and Five Mistakes to Avoid When Testing a Breach Response Plan 

    Cybersecurity has been an increasing corporate concern for years now and, as a result, most sophisticated entities have at least some form of an incident response plan in place. However, plans are unlikely to be worth the paper they are printed on (or the space they take up on a hard drive) if companies do not test those plans so that key incident response personnel understand the roles they will play, and the decisions they will face, in responding to an actual security incident. In a guest article, experienced tabletop exercise faciltiators Kim Peretti and Lou Denning, Alston & Bird partner and associate respectively, explain why it is critical for companies to test their plans using a simulated incident in a comfortable environment to see where improvements can be made before a real breach hits. They detail five key elements to consider and five pitfalls to avoid when testing a response plan. See also The Cybersecurity Law Report’s three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part One of Two)

    In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Checklist for an Effective Incident Response Plan

    A detailed and vetted incident response plan is critical for limiting a cyber attack’s impact – it can ensure regulatory and legal compliance, save resources and decrease the response time. This article outlines: steps to take in advance of drafting the response plan; what to include in the plan; and plan testing measures. For in-depth coverage on the topic, see our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Minimizing Class Action Risk in Breach Response

    Cybersecurity programs today must take into consideration the risk of class action litigation and include measures to mitigate those risks. David Lashway, a partner and global cybersecurity practice lead at Baker & McKenzie, spoke with The Cybersecurity Law Report in advance of ALM’s Mid-Year Cybersecurity and Data Protection Legal Summit on June 15, 2016, at the Harvard Club in New York City, where he will participate as a panelist. An event discount code is available to CSLR readers inside the article. In our interview, Lashway addresses mitigating litigation risk following a data security incident, takeaways from recent cases such as Target and Sony and class action litigation trends. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: Does Your Plan Work? (Part Three of Three)

    Many companies recognize that an effective incident response plan can go a long way towards mitigating the consequences of cybersecurity incidents. However, they often make simple mistakes in implementing these plans, largely because they lack a comprehensive strategy to combat persistent cyber threats. In this final segment of our three-part series on the topic, we explore common deficiencies in response plans, challenges companies face when implementing a plan, how to use metrics to troubleshoot and advocate for plan resources, and estimated costs associated with investigating and remediating the inevitable breach. The article features exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part two set forth seven key components of a robust incident response plan. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: Seven Key Components (Part Two of Three)

    Organizations today face an overwhelming volume, variety and complexity of cyber attacks. Regardless of the size of an enterprise or its industry, organizations must create and implement an incident response plan to effectively and confidently respond to the current and emerging cyber threats. In this second part of our three-part series on the topic, we examine the seven key components of a robust incident response plan, with exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Part three will explore implementation of the plan, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach

    Among the many decisions companies must make following a cyber incident are whether, when and how to engage with law enforcement. At the recent FT Cyber Security Summit USA, experts from Google, CVS Health, the FBI and the Center for Strategic and International Studies gave their advice on interacting with the government, and discussed the responsibilities and priorities of the compliance and legal teams in the wake of an attack. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)

    Many organizations are coming to terms with the troubling fact that they will fall victim to a cyber attack at some point, if they have not already. An effective incident response plan can be one of the best tools to mitigate the impact of an attack – it can limit damage, increase the confidence of external stakeholders and reduce recovery time and costs. The Cybersecurity Law Report spoke with a range of top experts, including consultants, in-house and outside counsel, who answered some of the tougher practical questions that are typically left unanswered in this area. They shared in-depth advice on the subject based on their own challenges and successes. In the first article of this three-part series, we cover what type of incident the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Parts two and three will examine key components of the plan, implementation, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    How Financial Service Providers Can Address Common Cybersecurity Threats

    The National Futures Association’s Interpretive Notice on cybersecurity, which became effective on March 1, 2016, calls for NFA members to adopt an Information Systems Security Program robust enough to guard against increasingly sophisticated cybersecurity threats. Senior NFA personnel and industry experts recently gathered at a workshop to give advice on complying with the Notice and how to strengthen a firm’s ability to prevent, detect and remediate cybersecurity incidents. This article covers the panelists’ discussion of critical cybersecurity threats; cybersecurity response plans; training; and other practical cybersecurity measures. For previous coverage of the NFA workshop, see “Expert Advice on Newly Effective NFA Cybersecurity Requirements for Market” (Mar. 2, 2016). See also CSLR’s two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Minimizing Breach Damage When the Rubber Hits the Road

    When a cybersecurity incident is discovered, a company’s first steps are crucial to minimize the damage. Kirk Nahra, a partner at Wiley Rein, gave candid, practical advice for breach response at the recent IAPP conference. He discussed, among other things, the importance of training employees about breach reporting; how the terms a company uses for a breach may come back to haunt them; when privilege should not be preserved; and how getting all of the healthcare providers and vendors in the country into the Dallas Cowboys’ stadium to streamline their contracts could save billions of dollars. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)

    The attorney-client and work product privileges are powerful tools that assist companies in honestly examining cybersecurity gaps, preparing for incidents, and responding to breaches without concern that discussions and recommendations about a company’s vulnerabilities will be subject to future litigation.  Those privileges are “a way of fostering an open consideration of the issues without fear it will necessarily have ramifications,” Alexander Southwell, a partner at Gibson Dunn, told The Cybersecurity Law Report.  Preserving the privilege when preparing for a breach, however, is difficult unless a company properly distinguishes legal analysis from regular operational tasks.  This article, the first of a two-part article series, addresses steps companies should take to preserve privilege in pre-incident response planning and testing activities.  The second part will address how to retain privilege during post-incident response efforts.  

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps

    The demand for cyber insurance has dramatically increased as cybersecurity incidents, large and small, proliferate and companies scramble for protection.  The market for cyber insurance has been changing in response to this demand, evolving technology, as well as new cyber regulations that are adding to the cost of breaches.  Roberta Anderson and Sarah Turpin, partners at K&L Gates in Pittsburgh and London, respectively, and Peter Foster, Executive Vice President, Privacy, Network Security, Media, Errors & Omissions and Intellectual Property Risk at Willis Group, shared their insights in a recent webinar about the evolution of the cyber insurance market, policy options available, traps to look out for and how to implement an incident response plan to properly trigger most policies.

    Read Full Article …