The recent discovery of the Heartbleed bug highlights the importance of being ready to handle cybersecurity breaches. Just as businesses should have an emergency response plan for physical threats such as a tornado or fire, they should also have a response plan in place for cybersecurity threats.
The primary objective in efficiently responding to a cybersecurity breach is to minimize damage caused by the event, including loss of confidence resulting from the breach. A business’ cybersecurity breach response plan should be tailored to that business’ needs and issues, and so no two plans will be identical. Businesses should consider the following issues when developing their response plan:
- Who will be responsible for decision making regarding breach response, and what will happen if the decision maker(s) are not available?
- Is a technology team in place (internally and externally if appropriate) to help stop the breach from continuing by shutting down technology or providing other remediation services?
- Do the business’ vendor agreements provide it with the right to direct, participate in, or receive timely updates about cyber incidents and forensic investigations?
- What regulatory requirements may apply to the business’ security breach response? Most states have enacted legislation requiring that certain specific actions be taken in response to a security breach, and include reporting and notification requirements. Businesses in highly-regulated industries such as health care, finance and banking, etc. may be subject to additional requirements.
- What are the business’ protocols for communicating with customers, suppliers and regulatory bodies regarding a security incident?
- Does the business have cyber insurance that would cover the incident?
- Is the response plan in writing and up to date, so that it can be easily accessed in the event of a breach?
Naturally, businesses should also minimize their risk of security breach by consciously managing physical and cyber security. Each business should put into place systems and safeguards intended to safeguard data, including the implementation and enforcement of policies regarding employee handling of sensitive information, due diligence of vendors and other third parties having access to sensitive data and information, the assessment of internal and external threats, and examination of data collection, use, storage and retention practices. Further information about risk management can be found at Heartburn from the Heartbleed Bug? New U.S. Cybersecurity Framework Provides Helpful Standards to Manage Risk.
If you have questions about drafting or reviewing your cybersecurity breach response plan or your cybersecurity systems and safeguards, contact Jennifer Puplava at (616) 632-8050, or the Mika Meyers attorney with whom you normally work.