What Is an Incident Response Plan? The Collection and Evaluation of Evidence

Developing an Incident Response Plan is imperative for when an organization thinks they may have experienced a data security breach or security incident. One of the most important aspects of incident response is the collection and evaluation of evidence. Just because a laptop computer seems to be missing, the organization does not have conclusive evidence that they have actually suffered a data security breach. So, when an organization believes they have experienced a security incident, the incident must be carefully evaluated, following a professional, disciplined approach to gathering and evaluating evidence, to conclude whether or not a data breach has occurred.

It’s often wise to ensure that all of the details of any investigation into a data breach are maintained as confidential. Keep in mind that your legal adversary may disagree with your own evaluation of the security incident and evidence. So, when an organization is conducting an incident response plan, ensure that all the investigators have signed an appropriate non-disclosure agreement, and to have legal counsel engaged in the investigation. Often times, if counsel is involved in the investigation, they can cloak the investigation into something known as an attorney work product. This is very similar to attorney-client privilege, and a form of confidentiality that is enforced in law.

Once you’ve conducted your incident response plan, gathered and evaluated all necessary evidence, you may then determine if a security incident has occurred, and the appropriate next steps for responding to the incident.

For more insights on data security, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you with your compliance objectives, contact us today!

Video Transcription

What is an Incident Response Plan?

An important part of the incident response when an organization thinks it might have a data security breach is the collection and evaluation of evidence. Just because a laptop computer can’t be found, for example, doesn’t necessarily mean that the organization has conclusive evidence that it has in fact suffered a data security breach for which it must give notice of under different kinds of laws. Therefore, as an organization sees that is has an incident that needs to be evaluated more carefully, the organization is wise to follow a professional, disciplined approach to gathering evidence and then evaluating that evidence to conclude whether if in fact a breach has occurred for which your organization needs to give notice.

An important factor to bear in mind as your organization conducts an incident response is that the legal adversary of the organization may disagree with the organization’s own evaluation of the incident and the evaluation of the evidence. For example, a legal adversary could be a class action plaintiff’s lawyer or it could be a government regulator. These adversaries, if they were able to gain access to the organization’s full investigative details, might say, “Wait, you had all of this information that shows that you had a breach and that you should’ve given notice, therefore, you’re bad and we should sue you or punish you.” On the other hand, from the point of view of the organization, the organization may actually review the same evidence and conclude, “No, there was not a breach under the law, therefore we should not have given notice.”

So, here’s the point: when an organization is conducting an incident response, it’s often wise to ensure that all the details of that investigation are maintained as confidential. Ways to maintain confidentiality would be 1) ensure that all of the investigators have signed an appropriate nondisclosure agreement and 2) your organization may be wise to actually reach out to legal counsel and have legal counsel engaged in the investigation. Often times, if counsel is involved in the investigation, then counsel can cloak the investigation into something that’s known as an attorney work product. An attorney work product is very similar to an attorney-client privilege. It’s a form of confidentiality that can be enforced in law, so if an attorney is substantially involved in incident response and evidence is collected, and the organization doesn’t want the results of the investigation’s evidence to go to legal adversaries, the attorney work product doctrine will help the organization achieve that goal.

Understanding Data Breaches with Benjamin Wright

Data Security Breaches Occur Every Day

It’s become quite common to see reports in the headlines about data security breaches as different types of organizations are targeted every day. The types of information or data that is stolen as a result of a breach are things like social security numbers, credit card numbers, Protected Health Information (PHI), and Personally Identifiable Information (PII), trade secrets, or intellectual property. The most important thing to consider when it comes to protecting against data breaches is it’s not a matter of if, but when, so be sure to prepare for a breach with both prevention and recovery in mind. It’s also important to be aware of what state and/or federal data breach notice laws may apply to you in the event of a security incident at your organization.

There seems to be a lack of distinction between a security incident and a data breach; not every security incident constitutes a security breach. A breach has occurred when sensitive, protected, or confidential information has been accessed or stolen by someone without the proper authorization to do so. Maybe it’s a lost laptop, a malicious hacker, or accidentally sending sensitive information to the wrong person, it’s important to carefully evaluate every security incident to ensure you are following all applicable data breach laws in the event of an actual breach.

KirkpatrickPrice uses the Six Steps of Incident Response to help organizations determine the severity of a security incident and how to efficiently and effectively remediate. When developing your own incident response plan, take a look at these six common stages of incident response:

1. Preparation

Always document policies and procedures for appropriate disaster recovery to ensure that recovery and remediation will happen quickly. Are you prepared to handle an incident that could happen today?

2. Detection and Identification

What kind of incident has occurred? What is the severity? Has there been loss or exposure of sensitive data? Were any laws or contracts violated? How much information was impacted by the incident?

3. Containment

Notify the right people at the right time to help reduce the damage of a security incident and isolate the infected or compromised area.

4. Remediation

Resolve any issues, malicious code, responsible personnel, threat, etc. What security gaps need to be addressed at this time?

5. Recovery

Implement all appropriate policies and procedures to get back up and running and continue to monitor that the incident has been fully resolved.

6. Lessons Learned

Make sure you know why the incident occurred so you can ensure that the same incident will not happen again.

For more insights on data security, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you meet your compliance objectives, contact us today!

Video Transcription

A topic in the news is Data Security Breach. We see a lot of reports about organizations notifying the public that they’ve suffered some kind of a breach of information security. So an example of Data Security Breach could be that social security information has been compromised, or maybe credit card information is no longer protected. There are many laws covering Data Security Breaches. Those laws can be state laws, federal laws, or they might be the laws of other countries. These laws  are not uniform and therefore it can be quite confusing for an organization to figure out exactly which law applies when the organization thinks it may have a security breach.

Not every security incident constitutes a Data Security Breach. You may have a lost laptop computer, maybe an employee loses a smart phone, maybe an employee accidentally sends sensitive information to the wrong people. Not every one of these kinds of incidents turns out to be a Data Security Breach under the relevant laws for which you need to give notice. Therefore, when an organization sees that it has an incident, it needs to conduct an appropriate investigation and follow the rules of law in order to determine, “have I achieved the point of having a breach? If I have, then I need to give the appropriate notices under the laws that apply.”

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Benjamin Wright

Benjamin Wright

Attorney & SANS Instructor

Attorney Benjamin Wright helps others navigate the law of technology.

He teaches the Law of Data Security and Investigations for SANS Institute, the premier authority for training information security professionals and digital forensics experts. That 5-day bootcamp is unique in the world.

Wright is author of The Law of Electronic Commerce (Wolters Kluwer) and Business Law and Computer Security (published by SANS).

Mr. Wright advises clients -- in the US and throughout the world -- on privacy, cryptocurreny, e-discovery, data breaches, ethical hacking, smart contracts, IT outsourcing contracts, and forensic investigations (e.g., social media and mobile apps).