Considerations for a Data Breach Response Plan

Virtually every day there is another headline of a business security breach; what would you do if your firm’s name was in that headline? Developing a data breach response is a lot like developing a disaster recovery plan in that you hope you never need it, but having one can help tremendously in the event of a breach by minimizing additional losses and damage to the firm’s reputation. Even if your firm outsources your IT and/or applications to external vendors or cloud providers, you should have a basic incident response plan in place in the event firm data is breached via a third party. Below are seven considerations to help you begin to organize your firm’s breach response plan.

Response Team: Firms should have a list of internal personnel and external resources readily available including designating a primary Incident Response Officer (IRO) who is the firm owner or someone at the senior management level. In larger firms, this individual will act as the liaison between senior management and the other incidence response team members. The IRO should not be the IT person/director as they will be engaged in the technical aspects of remediation. It is important to also have a backup person designated in the event the lead person is not available. Other team members may include existing internal IT personnel, external vendors that provide cybersecurity services, as well as vendor contacts within cloud hosted applications, and legal counsel familiar with cyber security issues.

Incident Notification Process: Anyone noticing suspicious activity should be regularly reminded of who to contact (IT/security personnel) and whether to do so in person, instant messaging, or on the phone (as email may be compromised) so the appropriate person can assess the situation and determine if there was a possible security or privacy breach. If the initial responder has concerns of a security breach they would notify the IRO to oversee an investigation and remediation efforts.

Breach Investigation: Your IRO will work with the IT team to investigate the event to determine if it is an actual security incident, which the National Institute of Standards and Technology (NIST*) defines as “a violation of or imminent threat of violation of the firm’s computer security policies, acceptable use policies, or standard security practices.” It is important that the response team also documents what has transpired including the dates and times of suspicious events and all communications with outside parties regarding the incident. This information should be captured in a written/digitally recorded format to get other response team members quickly up to speed, and with the understanding that it may be important in any future legal or criminal proceedings.

Remediation Efforts: The IT team should have written policies to monitor suspicious activities, disconnect, contain and block services, confiscate impacted workstations/devices, and physically secure the premises to minimize further damage. Remediation efforts would also include specific external cybersecurity resources and contacts at the firm’s Internet Service Provider (ISP), who can help trace the origin of an attack and/or block it.

External Remediation Resources: An important aspect of the incident response is to identify forensic and cybersecurity firms that can assist with remediation, eradication of threats, and any clean-up, which should have specific vendor contacts documented in the plan. With the rapid evolution in cyber attacks, it is not likely that the firm’s internal IT personnel will be able to remediate every situation, so identifying external resources is critical. Please note that remediation resources should also include the firm’s legal counsel as well as specific Federal and State law enforcement agencies (FBI/U.S. Secret Service) to address any criminal issues.

Internal Communication Plan: If it has been determined a breach occurred, the IRO should quietly notify firm management and explain what is being done to remediate the issue. Firms should delay notifying all staff until it is determined that the breach has been evaluated (and it is confirmed that no internal personnel were involved). Once the IRO and response team is convinced they have remediated the issue, a firm wide communication outlining the facts and firm response should be sent to all staff including who is authorized to respond to any public inquiries. This communication should explain what happened, what the firm has done to fix the situation and what the firm will do in the future to minimize the risk of a breach occurring again. The communication plan may also need to notify impacted clients and what the firm will provide such as Identity Theft Protection Services.

Public Notification of Breach: The firm should establish a primary (and backup) point of contact to handle all public communications with the media. If the breach is in a very large firm, this could also entail setting up a webpage with FAQs and also provide additional resources to deal with large volumes of phone calls, emails, and physical mail. The firm should also identify which incident reporting organizations they want to use. Verizon and the Identity Theft Resource Center are both organizations that consolidate and report on privacy/data breach incidents for firms.

Should a security/privacy breach occur in your firm, it is not likely to unfold in a neat, organized fashion so it is important to have resources organized beforehand and to be flexible in responding to the specific situation. Discussing and documenting these considerations will help minimize the negative impact of a breach and speed up the process to get the firm back to normal operations.

*FIRM RESOURCE: The National Institute of Standards and Technology (NIST) Publication 800-61: Computer Security Incident Handling Guide, was used in development of this article and it is also suggested that firms refer to it for more comprehensive guidance on developing an incident response plan, in particular Table 3-5: Incident Handling Checklist and Appendix A-Incident Handling Scenarios.

Roman H. Kepczyk, CPA.CITP, CGMA, LSS BB is the Director of Consulting for Xcentric, LLC and works exclusively with CPA firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of the 2016 Edition of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which is available to PCPS members.