Security breaches and legal incident issues are more common today than ever before. Sensitive information is being stolen from right under company’s fingertips. Even Wal-Mart and Target, two of the largest companies in the world have been hacked recently.
Since they are still in business, it’s safe to assume they have standards and procedure in place to deal with these attacks. In order to handle and legal or security incidents, it’s never been more important to have a response plan in place. Rather than scrambling at the last minute to pick up the pieces, here are 5 steps to establishing the basics of a successful incident response plan:
1. Assemble your incident response team
Team is the key word here, as one person should not handle a data breach alone. Every incident response team should have a team lead, C-suite representatives, an in-house or outside counsel, a key IT and PR stakeholder, and additional experts on stand-by at the very least. Having this set up before an attack happens will let your company respond to potentially disastrous situations quickly.
2. Research state laws on reporting breaches
Every state has different policies for how quickly your company has to announce a data breach. As a General Counsel or CFO, its important to stay on top of these regulations. Keep your legal incident response team up to date with any law changes and make sure to bring this up immediately in the event of an attack.
3. If or when a breach hits, do not stall
While your first reaction will be to try to assess and buy more time to figure out details, it may not be in your best interest to hold information back from your team or the public for too long. If people find out before you tell them, you may have an even bigger problem on your hands than stolen information – you will have lost the trust of your customers. And in a world where everything is online, keeping consumer trust has never been more important. We agree that you should have your ducks in a row before you make an announcement, but its worth considering the ramifications of waiting too long.
Also, a basic preemptive email statement to key stakeholders can help maintain the trust of your customers, investors, and others. You can always update and modify statements on your website as needed.
4. Make sure employees don’t respond to the breach before you do
Poorly informed employees can easily start or spread rumors, whether they’re true or not. As the team in charge of risk and compliance, it’s up to you to establish a media policy that clearly defines who is allowed and how they should speak to the media. It may be in your company’s best interest to inform employees but not give them the final statement until shortly before going public with a statement. This lets you get your statements in order, keeps your employees’ trust by telling them before going public, and also maintains the trust of your customers by being open with them about the breach.
5. Review your customer agreements
One key component is to have your customer agreements available and ready to review so you know the legal details needed for outreach. Which customers have clauses around incident notification? How long do you have to notify those customers?
Most customer agreements can have some unique details around this item, and any 3rd party agreements (from customers paper instead of yours) may also have something you are not aware of. Make sure you are keeping track of this information and have the tools in place to gather this information quickly if needed.
Make sure your account management or customer success team is ready to send messages to those stakeholders as well. These statements are a huge opportunity to 'spin' the story and keep your customers happy. Make them count.
Now you are ready to make an announcement! But these statements are not the sole responsibility of the PR person. The entire incident response team was assembled for a reason – to work together to solve the problem. With the PR person taking the lead, craft a statement from the perspective of the C-suite representative that clearly defines the problem and the steps your company is taking (or has taken) to solve the incident.
After a specific incident is resolved, it’s not time to disassemble the team. Here is where you evaluate similar situations and try to implement solutions that protect your organization from future attacks. Perhaps there are new tools in the market or new contract best practices you can add to your company policy.
Legal counsels should lead the charge in preparing your org for future data breaches. For more information on how we can help you protect your contracts, visit linksquares.com.