I. A Multi-disciplinary Team-based Approach to Incident Response

A well thought-out and practical incident response plan is a key component of any comprehensive information security program. But, organizations often make the mistake of categorizing the incident response plan as an “IT issue” or a “legal issue.” A cybersecurity incident that results in a breach is an “issue” that affects several parts of the organization. Thus, the plan to respond to an incident should involve several parts of the organization.

For those of you who are not sports fans, please indulge me for a moment. An incident response plan involving only one department of an organization is like a basketball team where every member plays the same position. Like a team full of centers, the resulting plan may be so focused on defense and blocking that proactive steps such as early contact with law enforcement may be seen as too “risky” to include. As lawyers, we can often be so focused on the legal ramifications that we miss some of the practical business considerations of incident response. For example, as lawyers, we may want public communications to state the bare minimum regarding a breach; only what is legally required. But, making a minimalist statement may result in a public relations backlash for failing to disclose critical information in a timely manner. We need the other positions on the team to put our advice in context and achieve a “winning” result. An effective incident response plan is both a product and a tool of a multi-disciplinary incident response team (“IRT”).

Like building a successful sports team, crafting an effective IRT includes (1) identifying the necessary internal and external IRT members, (2) considering the strengths and weaknesses of each position, assigning roles and responsibilities accordingly, and (3) training the team members through practice to work together toward a common goal. Several publications can provide the basis for an adequate incident response plan. See, e.g., National Institute for Standards and Technology (NIST) Special Publication 800-61 or the International Standard Organizations (ISO)/International Electrotechnical Commission (IEC) 27035. Instead of focusing on the content of the plan, which is covered by those publications, this article will focus on assembling a team to (A) craft the incident response plan that will be most effective for the organization and (B) execute that plan in the event of a cybersecurity incident.

II. Identifying the Necessary Team Members and Their Strengths and Weaknesses

An effective IRT often includes the following members:

A. Information Technology

Internal IT Department

The IT department of an organization is probably the most frequently thought of team member when it comes to responding to cybersecurity incidents. In many ways, the IT department (or security department embedded within the IT department) is the base of the pyramid in incident response planning. It will likely have the largest number of IRT members and will be relied upon for information on which other team members will act. The IT department will likely serve as the primary point of contact for many of the external IRT members. For example, the IT department will coordinate with the technical forensics consultant to determine the operational impact of a cybersecurity breach and remediate the effects. The IT department may also provide outside counsel or a consultant with the names of individuals that the breach may have affected for purposes of compliance with breach notification laws.

The internal IT department may also be the first IRT member to receive notice of a cybersecurity incident through channels such as managed security services logs or reporting from other personnel. As a result, it is important that a lead IT member be appointed to ensure that only one individual will initiate the call tree to notify other IRT members. This same IRT member may be responsible for initial triage of the incident or setting up a help desk support line for affected personnel.

Technical Forensics Consultant

Although an organization's internal IT department has the strength of knowing the intricate details of the infrastructure, that knowledge can bias the internal IT department's focus during incident response. Therefore, an external IT expert, such as a technical forensics consultant is an important member of the IRT. The technical forensics consultant can bring an objective perspective to finding the source of a breach as well as industry knowledge of threats faced by its other clients. This consultant also liaises with legal and public relations regarding communications with regulatory bodies and affected individuals about the nature and potential impact of a breach.

Co-location Facilities

A defensive strategy against threats such as ransomware attacks and distributed denial of service (DDOS) attacks includes storing backups of critical data offsite at co-location facilities. Having a representative from such facilities as a member of an IRT can help the organization put internal IT infrastructure in place to restore data from those backups with minimal downtime. This member will work closely with the internal IT department in the event of a loss of data or loss of access to data. The co-location facilities contact may also assist a technical forensics consultant in determining the undisturbed state of affected databases through comparisons between the pre-incident back-ups and affected systems.

B. Legal and Compliance

General Counsel or Designee General Counsel

The lead lawyer on the IRT should be an attorney that has a broad view of the business and legal needs of the organization. Often, this attorney is the general counsel, chief legal officer, or deputies of these attorneys that have a wide range of responsibilities. Because of the general counsel's holistic view of the legal needs of the organization, he or she will be able to effectively coordinate with business management, IT, and other IRT members to provide information regarding applicable laws and regulations based on the activities and industry of the organization.

Privacy Officer

Although data privacy and information security are often mentioned in the same breath, important distinctions exist between these two subjects. For example, the principles of notice and consumer choice are data privacy principles but are not necessarily principles of information security. However, a good data privacy program requires good information security to fulfill an organization's duties under regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. For instance, Section 164.514 of HIPAA requires a covered entity to “use appropriate safeguards to prevent use or disclosure of the information other than as provided for by [a] data use agreement.” An organization's privacy officer will likely be familiar with such data use agreements as well as other promises made to consumers or employees in privacy policies. As an IRT member, the privacy officer can help to ensure that these matters are addressed in the incident response plan. During an incident, the privacy officer can also be a resource for the marketing and communications IRT members when crafting messages to address any potential breach of the promises made regarding limitations on disclosure of consumers' or employees' personal information.

Human Resources

In many organizations, the human resources (“HR”) department is the group that will be responsible for communicating policies such as components of the incident response plan to employees, as well as enforcing information security policies through dismissal of employees or other disciplinary action. Thus, including HR personnel, especially senior personnel, on the IRT may increase the likelihood that an incident response plan will be followed. In addition, phishing attacks are often targeted at HR personnel of large organizations because HR personnel have extensive access to sensitive personal information of employees. Therefore, including key personnel of the HR department on the IRT may prevent those attacks from being successful by educating that personnel and making the HR department an integral part of the organization's information security program. The HR IRT member may also work with other IRT members during or after an incident to craft communications to employees.

Outside Counsel

In certain circumstances, attorney-client privilege may not attach to communications between in-house counsel and members of an organization, especially where in-house counsel routinely provides both business and legal advice. See, e.g., In Re Vioxx Products Liability Litigation, 501 F. Supp. 2d 789, 797 (E.D. La. 2007) (noting that “[i]t is often difficult to apply the attorney-client privilege in the corporate context to communications between in-house corporate counsel and those who personify the corporate entity because modern corporate counsel have become involved in all facets of the enterprises for which they work”). Therefore, including outside counsel as a member of an IRT can provide a more secure umbrella of attorney-client privilege by making clear that communications involving outside counsel relate to legal advice. See, e.g., In Re Grand Jury Proceedings, 517 F.2d 666, 670 (5th Cir. 1975) (holding that attorney-client privilege applies to communications sought “for the purpose of securing primarily either (i) an opinion on law or (ii) legal services or (iii) assistance in some legal proceeding”). This protection facilitates a more open flow of information between IRT members and may expedite resolution and decision-making. Outside counsel can also provide input regarding data privacy and information security laws and regulations. But, only through coordination with IRT members such as the general counsel's office and the IT department, can outside counsel help determine which of those laws and regulations apply to the particular incident.

C. Business Management

Senior management such as the Chief Executive Officer or Chief Information Officer can endorse the incident response plan in a manner that encourages every employee of the organization to respect the importance of following the plan. Other members of management may be on the IRT to carry out administrative duties related to crafting the plan and during an incident, but senior management will often be the IRT member that will provide the face of the organization to the public. Business management IRT members will also likely coordinate with the other IRT members to provide a dashboard of information about an incident and liaise with the board of directors of the organization.

D. Marketing and Public Relations

Marketing or Communications Department

The reputation of an organization may not be on the balance sheet but it is a valuable asset that can be lost very quickly if a cybersecurity incident is not handled properly in the eyes of the public. Thus, IRT members from an organization's marketing or communications department should work closely with the other IRT members to craft messaging throughout the response to an incident. For example, these team members can work with IT and legal to develop a script for incident call center staff as well as any breach notification communications. These internal IRT members have insight into the organization's communication style and can help provide brand consistency throughout the incident response.

Public Relations Firm

While internal marketing and communication IRT members have unique insight into the organization's style and brand, an outside public relations firm can bring experience and “lessons learned” from responses to incidents for other clients. This external IRT member can provide intelligence about the public's current appetite for certain information and may have established relationships with media outlets that can help the organization control the timing of announcements about the incident.

E. Risk Management

Risk Management Specialist

An internal risk management specialist can provide the IRT with quick analyses related to the organization's risk profile; both the current risk profile and how the organization has managed risk in the past. This IRT member would also be the primary point of contact for the outside insurance consultant discussed below. As the internal risk manager, this specialist can place any cybersecurity insurance in context with other insurance procured by the organization and help determine the appropriate limits for such coverage.

Outside Insurance Consultant

If an organization is considering procuring cybersecurity insurance as part of its incident response plan, an outside consultant can provide valuable assistance both before, during and after a cybersecurity incident. This outside consultant would be separate from the organization's insurance broker, whose goal of protecting its employer or underwriters may conflict with the best interest of the organization during an incident.

This consultant can assist an organization in understanding the myriad of insurance policies that are referred to generally as “cyber-insurance.” For example, coverage such as a Network Security and Enterprise Privacy Liability covers certain third party and first party costs related to disclosure of personally identifiable information maintained by the organization (such as its employees or customers), while coverage such as a Network Interruption Policy can cover first party costs related to systems that are unavailable due to a DDOS or ransomware attack. During a response to an incident, this outside insurance consultant would coordinate with risk management and legal to determine when and if the insurer should be notified. Many cyber-insurance policies have a maximum time period for notification of the carrier after a “breach.” See National Association of Insurance Commissioners & Center for Insurance Policy and Research, Report on the Cybersecurity Insurance Coverage Supplement, at 4 (Aug. 27, 2016), (stating that insurers have protected themselves by placing specific time limits from when an incident or breach occurs); Neal McCarthy, Integrate Cyber-Insurance into Your Cybersecurity Incident Response Plans, SecureWorks (Jan. 16, 2017), (stating that some cyber-insurers require notifications incidents before knowledge of an actual breach); Israel Martinez, Cybersecurity Insurance: What You Really Need to Know, Middle Market Growth (Apr. 6, 2016), (detailing the difference between a breach and incident and how some cyber-insurers require notifications of incidents). Not every cybersecurity incident is a breach and unnecessary notification of the insurer may signal that the organization is a higher risk client and should be charged a higher premium. On the other hand, a delay in notification because IT personnel want to investigate more, could result in a loss of coverage if the policy's notice period begins upon discovery of an incident and not determination of a breach. Id.

III. Training the IRT through Practice Toward a Common Goal

A. Defining the Goal

Because each organization's needs are different, every organization will not have the same IRT structure. And, it may not be advisable from a cost-benefit perspective for certain organizations to have all of the IRT members described in this article. An organization will need to determine the right players for its team based on the primary goal of its incident response plan. For an organization that collects and stores significant amounts of consumer data, a primary goal of its incident response plan may be to minimize any loss of customers due to an incident. For an organization that the government has designated as critical infrastructure (e.g., a refinery), the primary goal of its incident response plan may be to minimize or eliminate the risk that any breached data could be used to initiate physical property damage or injury of personnel.

B. Training through Practice

Once the primary goal and other goals of the incident response plan are clearly defined, the key to success is to practice achieving those goals. For IRT members, these practices are often called “tabletop exercises.” Tabletop exercises involve scenario gameplay that walks the IRT through every step of the plan from incident identification through any remediation and breach notification. To ensure readiness and address any turnover in the IRT members, tabletop exercises should be performed regularly (e.g., once per year or every six months). Practice for employees that are not members of the IRT would include training and education about incident prevention (e.g., phishing tests), how to report an incident, and how to continue conducting business during an incident (e.g., education about responding to requests for comments from the media).

Practice may never make perfect but it does make better. Lessons learned from tabletop exercises enable refinements to the incident response plan and reduce the chance of paralyzing panic during an actual incident. As suggested above, teamwork is key to determining the appropriate response to a cybersecurity incident, whether or not the incident is an actual breach. IRT members effectively working together is truly its own success.

Devika Kornbacher is an Intellectual Property partner in Vinson & Elkins' Houston office and Chair of the firm's Cybersecurity & Data Privacy Task Force. She has been designated a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).