Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.
Strange as it sounds, we hear from companies at the end of an investigation where it is determined that a breach did not occur that they are glad to have had the “near miss” because they feel better prepared in the event a real incident occurs. We use incident response workshops and tabletop exercises to help companies become better prepared to respond to a security incident—without the panic and anxiety of a “near miss.” We have conducted incident response workshops for over 75 companies in the past two years across the healthcare, retail, financial, consumer product, and technology industries.
The goal of the workshop is to help companies become “compromise ready.” When a company is facing a potential incident, they cannot undo the fact that the incident occurred, but they can be viewed as responding to the incident appropriately. And appropriately does not just mean getting the legal compliance part right—companies have to get the reputational and customer relationship part right as well. Companies increase the likelihood of “getting it right” when they have a plan—key components of the plan include knowing who is on the incident response team and identifying the law firm and other service providers they will work.
Workshops are usually presented by two members from our Privacy and Data Protection team, many of whom have responded to hundreds of security incidents. The workshops usually last four hours and are conducted for a flat fee. The attendees are typically the members of the incident response team, which for most companies is comprised of representatives from legal, information security, information technology, risk management, communications, human resources, and key business leaders. In advance of the workshop, we review and provide comments on the company’s incident response plan. We also conduct one or two interviews of the company to help us build a realistic mock breach scenario (if the scenario does not fit the company, the incident response team will spend more time “fighting” the scenario than working through the response).
We begin the workshop with a presentation tailored to the specific state, federal, and industry privacy, security, and notification laws and guidelines applicable to the company followed by a discussion of how incidents occur and the current threat landscape. We then provide our incident response “best practice” recommendations, which are illustrated by multiple “good” and “bad” examples from our experience and other public incidents. The examples include vendor selection, content and timing of notification letters, regulator interaction, when to involve law enforcement, and communications with customers. We then conclude the workshop by doing a tabletop designed to test the incident response plan. Having an incident response plan is a first step towards being “compromise ready”—but having a plan in a binder on a shelf is not enough. Companies who test their plans consistently through tabletop exercises using realistic mock breach scenarios hone their plans and, more importantly, train their incident response team in the process.
Now that privacy and security has become a “boardroom” issue, we have also conducted training sessions for executive leadership teams and outside directors. These sessions focus on identifying risks and threats, as well as understanding the intricacies of what goes on behind the scenes of an incident so that executives can ask the right questions to assess the company’s state of preparedness and prioritize the investments they should make to improve their compliance profile, reduce risk, and become “compromise ready.”