Speed Warp – The Data Breach Notification Hustle

By Seth Jaffe.

Companies are starting to feel the squeeze of compressed data breach notification time frames. Facebook is a prime example.

Going by the wayside are the loose timelines for notifying agencies or data subjects, only to be replaced by concrete notification windows. At present, just under 20 states have injected specific time frame requirements into their notification laws.[1] While many of these laws still hover between 90 and 30 days, proposed bills are starting to creep into the teens. And then there are other notification laws, such as California’s medical information notification statute, which mandates the Department of Health Services be notified no later than 15 days. And finally, GDPR’s blindingly short 72-hour notification requirement.

Cyber security professionals are quick to list the following recommendations for companies concerned about notification:

  1. Implement a cyber incident response (crisis management) program
  2. Construct and adopt an incident response plan
  3. Designate incident response team members from relevant disciplines, such as information security, legal, communications, human resources, and corporate security
  4. Train incident response team members on the plan
  5. Train non-incident response team members on protocols to convey relevant information to the incident response team
  6. Pre-select data breach vendors beforehand and negotiate terms[2]
  7. Establish relationships with law enforcement
  8. Foster a culture of cyber security

But there is one additional recommendation that is often left off the list, that of matriculating your cyber incident response plan into an executable document.

“Executable,” as used herein, refers to plans inclusive of concrete, step-by-step procedures. I’ve written about the need for procedures before, here and again here. Benefits include concrete direction for team members, faster references to ancillary documents, easier communication of complicated concepts, simpler maintenance of the plan, and better training, all resulting in fewer mistakes, reduced workload, and less stress.

Let’s take a look at an example executable incident response plan procedure. Below is an excerpt from a LEO Cyber Security procedure template.

The left column indicates the discipline responsible for carrying out the action. The step is enumerated in the middle, with directions and a step number for easy reference. Reference to ancillary documents is embedded within the step description, as are links to related steps. The right-hand column rounds out the procedure with reference to rules/directives that give color to the reasons behind an action, as well as a rationale.

By transforming its incident response plan into an executable document, an incident response team can get a jump on the ticking clock of data breach notification. LEO can help you make this transition. Our Gemini Cyber Crisis Management program builds execution right into the incident response plan, along with much more.

[1] AL, AZ, CO, CT, DE, FL, MA, MD, ME, NM, OH, OR, RI, SD, TN, VA, VT, WA, WI.

[2] Examples include outside counsel, forensics, public relations, call centers, ID theft protection, and notification letter printing.

Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.

Comments

Leave a Comment