The Sedona Conference Releases Incident Response Guide for Public Comment
The guide, available for public comment until June, aims to serve as a reference tool for those unfamiliar with incident response plans or state breach notification laws.
March 29, 2018 at 12:04 PM
4 minute read
Less than a year after releasing the third edition of its flagship e-discovery guide, the Sedona Conference is again adding to its library—but this time, with data security top of mind. The nonprofit research and educational institute has announced the release of “The Sedona Conference Incident Response Guide,” available for public comment through June 19 on its website.
The guide, authored by The Sedona Conference Working Group 11 on Data Security and Privacy Liability, is intended to serve as a reference tool for those who have never created an incident response plan and struggle to understand state breach notification requirements.
“The Sedona Conference believes that because of the complexity and the differences of all the state breach notification laws, it would be helpful to bring some sort of structure to the notification process,” said Robert Cattanach, a partner at Dorsey & Whitney and editor-in-chief of the new guide.
He added that the publication will also offer an incident plan template for readers to get “some sense of what it would have to look like.”
The guide, whose authors said was “drafted with small to medium-sized organizations in mind,” contains advice on how one should go about creating an incident response plan and the steps that need to happen before, during and after the incident. For instance, it discusses how and when companies need to contact external parties—such as law enforcement, insurance carriers and vendors—to limit their liability and effectively address any related risks.
What's more, the guide explains how companies can tailor their incident response plans to the different types of situations they may face. In the midst of a cyberattack from external actors, for instance, it's important to preserve any evidence of intrusion, though that's not always an easy thing to do.
“For example, in many traditional networks, disconnecting power from a server will not be an appropriate means of preserving evidence,” the guide notes. “In some situations, it may be appropriate for the server or other hardware to remain powered on, but the network connection severed.”
The last section of the guide looks at the obligations parties have to notify state agencies under different scenarios. For example, “When you might discover that there was some intruder, but they didn't take anything, that may not create or trigger an obligation,” Cattanach said.
While the guide does not go into each state breach notification law in detail, it does group state laws together depending on their requirements—for example, states that require parties to notify the attorney general's office of a breach, or those that require notification only if an incident produces a “reasonable likelihood of harm.”
Cattanach noted that state breach notification laws posed a particular challenge for the authors of the guide because of the pace at which they are evolving. Since the guide was published for public comment, he said, South Dakota has passed its own breach notification law, while Alabama is also considering passing such a law as well.
“The final comment is due June 19, and then we'll take those comments and respond to them as appropriate,” Cattanach said, adding that the guide will be updated to reflect the new states' laws, though such updates will likely take several months.
When asked how the guide will keep up-to-date on all the changes to state breach laws that may arise in the future, Cattanach noted that The Sedona Conference is still debating the best course of action.
“We are still struggling with that question,” he said. “What I anticipate is that we will have some sort of addendum, roughly on an annual basis, so we can add something to what is there, but we won't change the master document. But the final answer to that is by no means certain.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250