Image for post
Image for post

Cybersecurity Incident Response Plans — A Corporate Multi-Use Tool

The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right.

FinTech Weekly
Jun 11, 2018 · 4 min read

by Robert E. Braun, Jeffer Mangels Butler & Mitchell LLP

It’s often said that one can do something well, or quickly, but not both. Corporate America is facing a world where the public demands both speed and accuracy; companies have one chance to get it right, and get it right at once.

Consider the two most recent examples: on April 12, two black men were arrested at a Philadelphia Starbucks after they entered the store and failed to place an order as they waited for a friend to arrive. The arrest was videotaped and posted on Twitter, where it immediately went viral. Within two days, CEO Kevin Johnson was apologizing for “a disheartening situation” that led to a “reprehensible outcome.” On May 29, Starbucks closed all its stores in order to train employees on racial sensitivity and implicit bias. Six weeks later, ABC reacted to an inflammatory, early morning tweet by Roseanne Barr within hours, calling it “abhorrent, repugnant and inconsistent with our values,” and cancelled her top-ranked TV show.

The lesson here is that the initial corporate emergency response time to a public relations calamity shrank from two days to several hours in just over a month.

What does this have to do with cybersecurity? Everything.

Cybersecurity and data breach response plans are all about dealing with a fast-moving and soon-to-be public crisis. Notifications, and therefore publicity, are mandatory. The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right. And as we know so painfully from the Equifax breach, that needs to be done correctly the first time round. Equifax notified the public of its data breach — covering more than 143 million people and attacking its core business — a month after it discovered the breach, and when it did, its reaction was widely criticized.

Smart companies have adopted, implemented and tested data security rapid-response plans. Security and corporate crisis response, when trained and embedded into a company, become part of corporate culture, not just a plan. Knowing how to respond when crisis strikes — and then responding as trained — becomes as important a corporate value as any in the mission statement.

As such, a cyber-breach response plan can be used as a corporate crisis multi-use tool. The response plan is designed to avoid delay and mistakes when a crisis strikes; not only do you not want teams to need to refer to a manual during a crisis response, you want them to work from experience. This kind of reaction and training results in a response in which each individual knows her or his role, and immediately begins deploying the tools they’ve been trained to use. At its best, the properly prepared corporation combines the different skills and authority required for crisis response to work in concert for best-case outcomes.

The takeaway here is that a company’s cybersecurity response plan is likely under-utilized; it can be the basis for the dress-rehearsal response to any corporate disaster. The concepts and values inherent in that plan — established decision-making hierarchy, pre-determined communication chains, clear internal and external stakeholder response — are the tools required for any modern corporate emergency.

Savvy companies will have trained every employee what to do if a data breach is suspected. That same training and mindset can be applied to any multitude of crises. Leverage what’s working in one area, and use it to teach employees how to respond to a variety of situations. Here’s how to make that work.

  1. Remain in Motion. Einstein posited that objects in motion experience time at a slower rate than those at rest; buy time by remaining in motion. Regular training for an event eliminates time wasted trying to determine what to do in an emergency. The “unthinkable” happens every day; an organization must plan for it.

When pilot Tammie Jo Shults landed disabled Southwest flight 1380, the Navy-trained professional had one chance to get it right. The same is true for land-based corporate crises. Prepare for disaster by taking a response plan that, thanks to training, works well, and apply its principles more broadly. A data breach response plan can be the starting point for smart decision-making writ large.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Contact Bob at or +1 310.785.5331.

Fintech Weekly Magazine

Insights into where finance meets technology - from…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store