Broadly stated, risk management is the process of the identification, prioritization, and mitigation of business risks. Identification and prioritization of risk happens in all businesses at some level. To be effective, the process requires an open mind capable of considering and evaluating realistic “what if” scenarios. Mitigation of risk includes pre-loss risk avoidance or minimization measures for example by implementing “best practices,” and risk transfer through the contracting process with vendors and customers, or through data breach insurance. Once the risk has materialized, post loss review can identify weaknesses and the need for revisions to existing risk management strategies. Managing cyber risk involves all of these elements and because of the potentially devastating impact of data breaches on your enterprise’s reputation, the priority of managing cyber risk is, or should be, very high for every enterprise that maintains personal and/or financial data (which is to say “all businesses”).
In the increasingly digital world we live in, most experts would agree that it is not a question of whether a particular business will suffer a data breach or other cyber risk event, but a question of when. The inevitability of a data incident counsels strongly for the development, dissemination, and updating of a number of important privacy and cyber security-related documents which are either recommended or required by applicable law. We will be profiling the most common in the months ahead this year. All of these privacy and cyber security documents are important, but one of the most important given that a data breach is truly only a question of when, is the Data Incident Response Plan, specially tailored to your business, in the event of such an incident.
While such plans can and should be developed by those with deep institutional knowledge of your business, confirmation bias (the tendency to interpret new evidence as confirmation of one’s existing beliefs) may blind business leaders to operational risks and/or effective mitigation strategies. Thus, objective, qualified third-party review of your business’s proposed Data Incident Response Plan is strongly recommended.
In high-level outline format, such a plan should:
- Broadly define the data incidents subject to the response plan.
- Identify and update a listing (with full contact info) of the individuals or entities selected by the company as part of its Data Incident Response team with current institutional knowledge of and responsibility for the business’s data holdings and data operations both in-house and with vendors.
- Identify in advance and update a listing (with full contact info), of potential breach response counsel and data forensic experts and reputational or crisis management vendors, with contact information.
- Provide a reporting mechanism for all employees regarding cyber risk and cyber risk incidents to appropriate management and/or in-house counsel.
- Proactively limit information flow regarding the incident to those who need to know, who should be expressly identified, with contract information, including any third party, insurance, law enforcement and/or governmental notification obligations and contacts.
- Outline a communications strategy and protocol, with a required management approval mechanism for all communications regarding any data incident affecting employees or customers.
- Establish an effective post-incident or “near miss” feedback loop (in the event of unsuccessful or thwarted attacks), with the objective of adding this process, including the study of reported incidents occurring to competitors or similar businesses to your industry to your annual privacy and cyber security audit process for continuously revising breach risk mitigation and response policies as necessary.
- Any such plan should be reviewed annually, distributed broadly, be the subject of ongoing internal communications and training efforts, and be a part of the new employee on-boarding process.
If you need help in developing your business’ Data Incident Response Plan or in otherwise managing your cyber risk, including the use of data breach insurance as a risk management tool, please contact the author of this alert, Joe Sano [email protected], (617) 456-8145, or Bill Rogers, Data Privacy and Security Practice Group Chair, [email protected], (617)456-8112.