Preparing for a Data Breach: Five steps companies can take now to help prepare for security incidents and cyber events before they happen

As the holiday season approaches, regulators and law enforcement continue to remind companies that cyber events are on the rise. Holidays and weekends, when offices are closed and employees are on break, can make businesses more susceptible to cyber attacks, including ransomware, phishing scams, data theft, DDoS attacks, and more.

Now is a good time for companies to assess information security programs and consider taking proactive steps to help prepare for potential security incidents, including the following:

1) Update and test the company’s incident response plan.

Incident response plans (IRPs) are the roadmap your company will follow if an incident occurs. IRPs typically address the following topics:

• Designation of an incident response team, including the members of the team, and what their roles and responsibilities will include. This may include internal personnel (such as the CISO, IT, members of the information security team, internal legal, and communications), as well as external support (such as outside legal counsel, forensic investigators, notification vendors, and public relations professionals).
• Detection and reporting of security events, including the communication channels in place for employee and personnel reporting of suspicious activity and potential incidents.
• Incident classification, including a system for the assessment of security events and potential incidents based upon severity level and risk.
• Investigation and response, including containment, remediation, investigation, and recovery activities; information gathering and preservation of evidence; internal and external communications; and notification.
• Post-incident assessment processes, such as a root cause analysis and ‘lessons learned’ exercise for key stakeholders.

The IRP should also take into account the company’s cyber insurance policy, including any pre-approved vendors and incident reporting hotlines.

In addition, incident response team members and key stakeholders should consider participating in tabletop or “war room” exercises periodically to test the IRP. Such exercises can help the company prepare for a potential incident and identify gaps in its ability to respond quickly and efficiently.

2) Cyber threats are constantly evolving. Make sure your information technology (IT) team is keeping up.

The Federal Trade Commission (FTC) recommends that businesses stay up to date with alerts on current security issues and vulnerabilities from the Cybersecurity and Infrastructure Security Agency (CISA) and follow security best practices, including:

• implementing regular offline backups of data to help combat the risk of ransomware;
• installing the latest patches and updates; and
• ensuring that the company’s infrastructure, systems, and networks are protected by industry- standard security measures, including strong access controls and intrusion prevention software.

3) Update employee security training and send security refreshers regularly.

Are your company’s employees, contractors, and other third parties appropriately trained, and does the business send regular updates and “refreshers” based upon prevalent cyber threats? Training employees, contractors, and third parties who will have access to the company’s networks and systems is a critical activity to help manage the risk of potential security incidents. In most cases, personnel should receive initial privacy and security training during onboarding, then periodically moving forward (as appropriate, based on roles and responsibilities). Put simply: one of the single most important aspects of an effective incident response is detection, and appropriate training is key to your personnel recognizing and reporting security events quickly.

Further, sending regular security refreshers can remind personnel of their joint responsibility to help prevent security events. Even with state-of-the-art security, human error can still lead to security events — regular reminders about phishing and other scams, as well as alerts about current cyber threats, can help the company prepare for a potential attack or other events.

4) Know your data.

If your business experiences a security incident or breach affecting data, it’s critical your team understands the type of data impacted — and the potential legal implications of  exposure.

To effectively assess and understand the potential risk of an incident, businesses must first understand the data they hold and process as part of their ordinary operations. Creating a “data map” or “data inventory” can help the business more quickly assess risk and potential legal obligations in the event of a security incident.

For example, businesses that experience a breach of certain categories of personal information may have reporting obligations under state, federal, and foreign law. Currently, all 50 United States, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification laws that may require notification to individuals, regulators, credit reporting agencies, and other third parties of a data breach that impacts certain types of sensitive personal information.

Many foreign jurisdictions also have strict data breach reporting obligations, many of which may be more onerous than breach reporting obligations in the United States. In most cases, the residence of the individual whose personal information is compromised will determine the law that applies. Some companies may also be subject to sector- or industry-specific laws and regulations that require additional steps for incident response and notification.

By understanding the data and information that could be at risk, companies can also more effectively design an IRP that addresses key timelines and notification requirements, and helps reduce potential legal risk and liability.

5) Report to leadership about relevant risks and current threats.

Regular reporting to executive management on current cyber threats and risks to the business is an important aspect of an effective – and compliant – information security program. This step can help to provide leadership with critical oversight of the company’s approach to security, inform decision-making, and ensure that cyber risks are being managed at an enterprise-wide level.

Law enforcement regularly warns of cyber activity over the holidays, and CISA recommends all businesses be especially diligent as this year’s holiday season swings into full gear. Now is the time to evaluate your cybersecurity policies and procedures and ensure your company is taking steps to help minimize the risk of a data breach.

Erin Locker is an attorney at KO Law Firm and a data privacy expert. KO Law Firm is an innovative corporate and commercial law firm with a team of experienced lawyers and a practical, efficient, business-focused approach. Founded in 2003 on the philosophy that a different approach delivers better value, our business-first legal and industry expertise helps established brands and emerging companies achieve meaningful business outcomes. KO is headquartered in Denver and Boulder, Colo., and serves the software and SaaS, retail and manufacturing, professional services, energy, food, beverage and consumer goods, eCommerce and internet, healthcare and life science and ancillary cannabis industries. Reach Erin at [email protected].