One important element of pre-breach planning involves identifying the jurisdictional and regulatory authorities that govern the business. Organizations must understand and document the legal requirements that specify the actions that entities must take in response to a cybersecurity incident and the timeline involved in responding. When requirements are understood in advance, businesses can avoid the confusion of trying to learn the reporting requirements in the wake of a data breach.
Questions that organizations should ask include:
- What regulatory regime governs the business, and what are its requirements regarding privacy, confidentiality, and data breaches?
- What are the public reporting requirements?
- Who at the organization is responsible for maintaining and updating this information?
- Where can this information be located when the breach occurs?
Data type
Understanding data and its risk potential if exposed is another essential part of pre-breach planning that organizations must attend to. If sensitive data has been exposed, identifying the type of data involved is essential in navigating two issues organizations might face after a breach. First, the type of data exposed might affect what reporting requirements must be addressed and how and when reporting must be done. For example, patient health information will need to be handled differently from other personal data.
Second, the content of the data could dictate the process of extracting relevant information for reporting. Reviewing handwritten patient medical notes is much more time consuming than extracting data from a patient data spreadsheet. Organizations must identify and understand the type of data at issue to plan their responses accordingly.
Questions that organizations should ask proactively – before a breach – might include:
- How does reviewing, analyzing, and reporting on that type of data fit within the organization’s regulatory and legal responsibilities?
- What tools and technologies are available to preserve, review, and report on exposed data?
Questions organizations should ask about data immediately after becoming aware of a breach might include:
- What types of data have been exposed?
- What types of private or confidential information are contained in the data?
Legal counsel
The rules and regulations that dictate an organization’s reporting requirements can be complex, vague, or straightforward depending on the scenario. Therefore, experienced legal counsel is critical in determining the requirements and action plan after a data breach.
In the event of a breach, legal counsel should put in place a defensible process to guide the organization through its responsibilities and the actions it must take to meet legal requirements. An organization should identify capable legal counsel well before a breach occurs to eliminate time wasted on locating counsel in the midst of the crisis. Trying to find a good cyber attorney with experience in a specific industry could be difficult after a breach, so lining counsel up beforehand is critical.
Questions organizations should ask about securing legal counsel might include:
- Who is our legal counsel with cybersecurity expertise?
- What recommendations can legal counsel provide to help the organization prepare in the case of a breach?
- Is this counsel available both to help plan for potential cybersecurity incidents and to quickly set a response strategy in motion when a breach occurs?
Planning ahead
Breaches are undeniably costly, so when a breach occurs, it’s important that an organization is prepared to deal with it as quickly and effectively as possible. That means thinking through legal and reporting requirements as well as potential data exposure long before adverse events occur. Ultimately, pre-breach planning can help an organization respond appropriately and prevent a breach from becoming a disaster.
