Cybersecurity Incident Response Plans — A Corporate Multi-Use Tool
The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right.
by Robert E. Braun, Jeffer Mangels Butler & Mitchell LLP
It’s often said that one can do something well, or quickly, but not both. Corporate America is facing a world where the public demands both speed and accuracy; companies have one chance to get it right, and get it right at once.
Consider the two most recent examples: on April 12, two black men were arrested at a Philadelphia Starbucks after they entered the store and failed to place an order as they waited for a friend to arrive. The arrest was videotaped and posted on Twitter, where it immediately went viral. Within two days, CEO Kevin Johnson was apologizing for “a disheartening situation” that led to a “reprehensible outcome.” On May 29, Starbucks closed all its stores in order to train employees on racial sensitivity and implicit bias. Six weeks later, ABC reacted to an inflammatory, early morning tweet by Roseanne Barr within hours, calling it “abhorrent, repugnant and inconsistent with our values,” and cancelled her top-ranked TV show.
The lesson here is that the initial corporate emergency response time to a public relations calamity shrank from two days to several hours in just over a month.
What does this have to do with cybersecurity? Everything.
Cybersecurity and data breach response plans are all about dealing with a fast-moving and soon-to-be public crisis. Notifications, and therefore publicity, are mandatory. The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right. And as we know so painfully from the Equifax breach, that needs to be done correctly the first time round. Equifax notified the public of its data breach — covering more than 143 million people and attacking its core business — a month after it discovered the breach, and when it did, its reaction was widely criticized.
Smart companies have adopted, implemented and tested data security rapid-response plans. Security and corporate crisis response, when trained and embedded into a company, become part of corporate culture, not just a plan. Knowing how to respond when crisis strikes — and then responding as trained — becomes as important a corporate value as any in the mission statement.
As such, a cyber-breach response plan can be used as a corporate crisis multi-use tool. The response plan is designed to avoid delay and mistakes when a crisis strikes; not only do you not want teams to need to refer to a manual during a crisis response, you want them to work from experience. This kind of reaction and training results in a response in which each individual knows her or his role, and immediately begins deploying the tools they’ve been trained to use. At its best, the properly prepared corporation combines the different skills and authority required for crisis response to work in concert for best-case outcomes.
The takeaway here is that a company’s cybersecurity response plan is likely under-utilized; it can be the basis for the dress-rehearsal response to any corporate disaster. The concepts and values inherent in that plan — established decision-making hierarchy, pre-determined communication chains, clear internal and external stakeholder response — are the tools required for any modern corporate emergency.
Savvy companies will have trained every employee what to do if a data breach is suspected. That same training and mindset can be applied to any multitude of crises. Leverage what’s working in one area, and use it to teach employees how to respond to a variety of situations. Here’s how to make that work.
- Remain in Motion. Einstein posited that objects in motion experience time at a slower rate than those at rest; buy time by remaining in motion. Regular training for an event eliminates time wasted trying to determine what to do in an emergency. The “unthinkable” happens every day; an organization must plan for it.
- Matter is Constant. Ensure that constants remain constant. This includes corporate values and adherence to principles and procedures. Companies fail when they are tempted to apply situational ethics instead of responding based on existing values. Discussions in which decision makers try to quantify the “cost” of inaction against action should not be part of the response. Some calculations are binary, regardless of our tendency to want to create areas of gray.
- Carry an Internal Compass. The surest path to disaster is to wait to see how something will play out, whether that means the size of the breach, the reaction on social media, shareholder reaction, the level of civic unrest, etc. Don’t cede your timeline and decisions to the merciless court of public opinion. You have a plan. There are legal and I would argue, moral, requirements to act, regardless of the size or scope of the breach or emergency.
When pilot Tammie Jo Shults landed disabled Southwest flight 1380, the Navy-trained professional had one chance to get it right. The same is true for land-based corporate crises. Prepare for disaster by taking a response plan that, thanks to training, works well, and apply its principles more broadly. A data breach response plan can be the starting point for smart decision-making writ large.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.