Are You Prepared for a Data Incident?  Plan Ahead to Allow for an Agile Response

By: Valerie Breslin Montague, Nixon Peabody LLP
CHEF Chapter Communications Committee Member

A robust incident response plan can save valuable time and resources when a data incident arises.  While the specifics of this plan will vary based on the size and operations of your organization, the goal is to provide an organized approach to handle incidents related to your confidential information and information security systems.  The incident response plan should be broad enough to cover threats to both electronic information and hard copy documents.

As you are creating or reviewing an incident response plan, consider the following elements:

1. Define what constitutes a potential data incident, and provide examples that are relevant to your organization, such as a data breach, denial of service attack and theft or misappropriation of confidential information. It should be clear that the incident response team is charged with responding to both actual and suspected data incidents.
2. Select an incident response team. This team is responsible for the implementation and execution of the incident response plan.  Depending on the resources of your organization, consider including representatives from information technology, legal, management, compliance, public relations and human resources.  Designate an individual to manage the team and define the roles and responsibilities of each team member.  For example, the team’s legal department representative may be charged with supervising the documentation of the incident discovery, investigation and response; providing guidance on the legal standards for privacy, security and breach notification; assisting in developing a communication strategy for impacted parties; and coordinating with human resources regarding any applicable employment-related issues.
3. Take stock of the data that the organization owns and uses, where it is used and stored and who has access to it. This data mapping can save the organization from having to conduct such an analysis at the time of an incident.  Consistent with the requirements of the HIPAA Security Rule, health care providers and their business associates should implement access controls and have an understanding of which employees, contractors and vendors have access to which of the organization’s information technology systems.
4. Have a concrete understanding as to who holds the authority to access information systems in order to take immediate corrective action during a data incident.
5. Inform the organization’s workforce as to the means they can use to promptly report data incidents. They should have multiple options (such as directly to a supervisor or compliance designee, via email or phone, and an anonymous option, such as through a hotline).
6. Develop a procedure as to how the incident response team is alerted to a potential incident and the means for initial steps to investigate the incident. For example, your organization can develop an email distribution list for the incident response team, with initial notifications sent via email to the list and followed by phone outreach.
7. Develop forms for the incident response team to use as it investigates and responds to an incident, including an incident log, an investigation memorandum and an incident report.
8. Engage in a mock incident response to periodically walk through the roles and responsibilities of the incident response team members. This will allow them to become familiar with the documentation requirements in the incident and investigation forms, as well as provide a cohesiveness in working together as a team.
9. Develop template data breach notification letters that are consistent with federal and state legal requirements.
10. Prepare a contact list of third parties that the organization may wish to contact when investigating or responding to a data incident. This could include an information technology forensics vendor, outside legal counsel, a public relations or crisis management firm and federal and state law enforcement.

Your organization should document this framework in writing, identifying the relevant individuals (internal and external) and the manner in which they can be contacted (both during and after business hours).  This plan should be periodically reviewed and updated to reflect any new or restructured roles in your organization’s workforce, as well as any changes required by new laws and regulations or contractual commitments.

Taking the time to prepare for a data incident will allow your organization the ability to move directly from issue identification to investigation and response.  Swift action to address an incident can limit the potential harm to confidential data and information technology systems and will allow the organization to promptly mitigate and address any detrimental impact to the organization and those it serves.