Last evening I had the pleasure of talking cybersecurity law with a group of CIOs from some pretty sophisticated companies. It was a great discussion and I learned as much as I shared — just the way I like it. During our discussion, the subject of Incident Response Plans came up and I explained why these are now a must-have.
These days, the minimum standard of care for any type of business requires that it have an Incident Response Plan. The SEC recently reinforced this statement in its consent decree with SEC v. R.T. Jones Capital Equities Management where it stated, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” (SEC’s press release) The failure to do so violates the “safeguard rule” of Rule 30(a) of Regulation S-P under the Securities Act of 1933. There, is that clear enough for you?
How Long Should An Incident Response Plan Be?
One of the CIOs asked me, “how long should an Incident Response Plan be?” He had been going round and round with his legal team, which thought it needed to be very detailed to the level of 20 or 30 pages (based on what they heard at the latest legal conference). He thought it needed to be much shorter.
Long enough to be EFFECTIVE. Short enough to be EFFECTIVE.
Why Do You Even Need An Incident Response Plan?
To determine what it means to be effective means asking why you need an Incident Response Plan in the first place. If you have ever been involved in a data breach situation, you understand that it is a crisis situation and people are borderline (if not completely) panicking. Picture being in a building that is on fire. When in this situation, it is hard to think rationally and make well-reasoned decisions — especially in the very short timeframe that such decisions must be made. So, instead of sitting there trying to figure out what needs to be done and how to do it, you need to already have as much of that prepared as possible so that you can focus on executing — actually doing it.
When in this situation, it is hard to think rationally and make well-reasoned decisions — especially in the very short timeframe that such decisions must be made. So, instead of sitting there trying to figure out what needs to be done and how to do it, you need to already have as much of that prepared as possible so that you can focus on executing — actually doing it.
Considering the reason for why you need an Incident Response Plan, what do you think? Long or short?
As you work through your thought process, click on and view this Data Breach Checklist that I put together which lists several of the key steps that you must take when there is a data breach — most within hours of the breach. Looking at this checklist and applying it to your organization, ask yourself what is going to help you accomplish these tasks in the most effective way possible?
Next, close your eyes, meditate, find your inner cybersecurity peace, and visualize yourself being a year into the future and, at that point in time, you have just received the dreaded call that your company has had a data breach. What then will you wish you would have done now to help you respond in the most effective way possible?
The answer is, it depends on many factors starting, first and foremost, with the nature of your organization and all that entails. Is it a 20 to 30-page manual or a two-page document of key information and action items? Or, both?
Either comment or tweet me your thoughts.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.