Companies must be prepared for a data breach. It is just a fact of life, plain and simple.
The developing standard of care requires that companies give some thought to how they will respond when the inevitable occurs — and they really, really, really should have a written Incident Response Plan in place. This is part of the basic “blocking and tackling” that I often help companies with, before there is an incident, and, in the big scheme of things, it is not an expensive process.
Remember the lesson of my video: you don’t drown from falling into the water, you drown from failing to get out. This is a big part of how you get out!
Recently, I read an excellent article that discusses Incident Response Decision Making, by Chris Pogue. Pogue discusses 7 key decisions that a company must make following a data breach.
Some of these 7 key decisions are not only things that may be planned out ahead of time, but they are also things that should be included in a written Incident Response Plan. Then, when the inevitable occurs, you are not running around trying to think of what to do–IN A PANIC!
Instead, you already have a plan in place and are ready to execute that plan, carefully and methodically, to protect your company. And, by the way, the answer to the first question is ALWAYS YES!
- Should We Retain External Legal Counsel?
- Should We Bring In External Forensics Experts?
- Should We Engage Law Enforcement?
- How Should We Respond to Media Enquiries?
- What Should We Tell Our Executives, Investors, and Board of Directors?
- What Should We Tell Our Customers?
- Should We Pursue or Protect?