Developing an Incident Response Plan is imperative for when an organization thinks they may have experienced a data security breach or security incident. One of the most important aspects of incident response is the collection and evaluation of evidence. Just because a laptop computer seems to be missing, the organization does not have conclusive evidence that they have actually suffered a data security breach. So, when an organization believes they have experienced a security incident, the incident must be carefully evaluated, following a professional, disciplined approach to gathering and evaluating evidence, to conclude whether or not a data breach has occurred.
Once you’ve conducted your incident response plan, gathered and evaluated all necessary evidence, you may then determine if a security incident has occurred, and the appropriate next steps for responding to the incident.
What is an Incident Response Plan?
An important part of the incident response when an organization thinks it might have a data security breach is the collection and evaluation of evidence. Just because a laptop computer can’t be found, for example, doesn’t necessarily mean that the organization has conclusive evidence that it has in fact suffered a data security breach for which it must give notice of under different kinds of laws. Therefore, as an organization sees that is has an incident that needs to be evaluated more carefully, the organization is wise to follow a professional, disciplined approach to gathering evidence and then evaluating that evidence to conclude whether if in fact a breach has occurred for which your organization needs to give notice.
An important factor to bear in mind as your organization conducts an incident response is that the legal adversary of the organization may disagree with the organization’s own evaluation of the incident and the evaluation of the evidence. For example, a legal adversary could be a class action plaintiff’s lawyer or it could be a government regulator. These adversaries, if they were able to gain access to the organization’s full investigative details, might say, “Wait, you had all of this information that shows that you had a breach and that you should’ve given notice, therefore, you’re bad and we should sue you or punish you.” On the other hand, from the point of view of the organization, the organization may actually review the same evidence and conclude, “No, there was not a breach under the law, therefore we should not have given notice.”
So, here’s the point: when an organization is conducting an incident response, it’s often wise to ensure that all the details of that investigation are maintained as confidential. Ways to maintain confidentiality would be 1) ensure that all of the investigators have signed an appropriate nondisclosure agreement and 2) your organization may be wise to actually reach out to legal counsel and have legal counsel engaged in the investigation. Often times, if counsel is involved in the investigation, then counsel can cloak the investigation into something that’s known as an attorney work product. An attorney work product is very similar to an attorney-client privilege. It’s a form of confidentiality that can be enforced in law, so if an attorney is substantially involved in incident response and evidence is collected, and the organization doesn’t want the results of the investigation’s evidence to go to legal adversaries, the attorney work product doctrine will help the organization achieve that goal.