The best way to handle any emergency is to be prepared. When it comes to data breaches, incident response plans are the first step organizations take to prepare.

In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.¹ Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. For example, organizations that collect sensitive personal information about Massachusetts residents are required to “document responsive actions taken in connection with any incident involving a breach of security.”² While the statute does not specifically require that an organization create a written incident response plans, such plans help organizations outline responsive steps that could be taken following an incident, and to create the documentation required by the statute. Incident response plans are also used to comply with the myriad of state data breach notification statutes that require organizations conduct an investigation in the event of a suspected data security breach. Finally, many organizations in the United States are contractually required to create and maintain a written incident response plan. For example, organizations that accept payment cards are typically required by their payment processors to adopt the Payment Card Industry Data Security Standard which, in turn, requires the organization to maintain a written incident response plan.

Like the United States, historically the European Union has only required, on a Union-wide basis, data breach notification in specific sectors like telecommunications.³  While some member states enacted broader notification legislation, by and large there was far less uniformity in the EU between, and among, member states than existed in the United States, and there were few, if any, explicit requirements that companies create – in advance of a breach – a plan for how to handle a data security incident.

The EU’s new General Data Protection Regulation (“GDPR”) includes, for the first time, a broad breach notification requirement. Under the GDPR, a “personal data breach” is defined broadly as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."⁴ It will formally go into force in the spring of 2018.   Although the GDPR does not explicitly require that organizations draft an “incident response plan,” organizations are likely to find that putting plans in place is essential in order to comply with the requirement of the GDPR that controllers notify supervisory authorities within 72 hours of becoming aware of a data breach, or that they make a determination that the breach is unlikely to pose a risk to the rights of individuals.⁵

A good incident response plan does not attempt to predict every type of breach that may occur. Rather the fundamental components of an incident response plan is that it establishes the framework for who within an organization is responsible for investigating a security incident, what resources that person has at their disposal (inside and outside of the organization), and when a situation should be elevated to others within the organization. They can also provide a reference guide for the type of actions common to most security investigations. The following provides a snapshot of information regarding incident response plans.

What are organization’s top concerns when it comes to incident response plans?

1. The plan has little relationship to how the organization actually handles security incidents.
2. The plan has never been tested.
3. The plan does not cover all of the issues that arise in a data security incident.

Checklist for drafting an effective incident response plan:

1. The plan assigns a specific person or group to lead an investigation.
2. The plan provides a clear plan for escalating information about an incident.
3. The plan discusses the need for preserving evidence.
4. The plan incorporates legal where appropriate to preserve attorney-client privilege.
5. The plan discusses how the organization will communicate externally concerning an incident.
6. The plan includes contact information for internal resources.
7. The plan includes contact information for pre-approved external resources.
8. The plan is reviewed annually.
9. The plan is tested.

1. See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice available at 12 CFR 30, 12 CFR 208, 225, 12 CFR 364, and 12 CFR 568, 570.

2.  CMR 17.03(j).

3. EU Regulation No. 611/2013 (June 24, 2013).

4. GDPR Art. 4(9).

5. GDPR Art. 31(1).

6. Ponemon Institute, Is Your Company ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness, p. 1 (September 2014), http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf.

7. Id.

[View source.]