The Sedona Conference Releases Incident Response Guide for Public Comment

Less than a year after releasing the third edition of its flagship e-discovery guide, the Sedona Conference is again adding to its library—but this time, with data security top of mind. The nonprofit research and educational institute has announced the release of “The Sedona Conference Incident Response Guide,” available for public comment through June 19 on its website.

The guide, authored by The Sedona Conference Working Group 11 on Data Security and Privacy Liability, is intended to serve as a reference tool for those who have never created an incident response plan and struggle to understand state breach notification requirements.

“The Sedona Conference believes that because of the complexity and the differences of all the state breach notification laws, it would be helpful to bring some sort of structure to the notification process,” said Robert Cattanach, a partner at Dorsey & Whitney and editor-in-chief of the new guide.

He added that the publication will also offer an incident plan template for readers to get “some sense of what it would have to look like.”

The guide, whose authors said was “drafted with small to medium-sized organizations in mind,” contains advice on how one should go about creating an incident response plan and the steps that need to happen before, during and after the incident. For instance, it discusses how and when companies need to contact external parties—such as law enforcement, insurance carriers and vendors—to limit their liability and effectively address any related risks.

What's more, the guide explains how companies can tailor their incident response plans to the different types of situations they may face. In the midst of a cyberattack from external actors, for instance, it's important to preserve any evidence of intrusion, though that's not always an easy thing to do.

“For example, in many traditional networks, disconnecting power from a server will not be an appropriate means of preserving evidence,” the guide notes. “In some situations, it may be appropriate for the server or other hardware to remain powered on, but the network connection severed.”

The last section of the guide looks at the obligations parties have to notify state agencies under different scenarios. For example, “When you might discover that there was some intruder, but they didn't take anything, that may not create or trigger an obligation,” Cattanach said.

While the guide does not go into each state breach notification law in detail, it does group state laws together depending on their requirements—for example, states that require parties to notify the attorney general's office of a breach, or those that require notification only if an incident produces a “reasonable likelihood of harm.”

Cattanach noted that state breach notification laws posed a particular challenge for the authors of the guide because of the pace at which they are evolving. Since the guide was published for public comment, he said, South Dakota has passed its own breach notification law, while Alabama is also considering passing such a law as well.

“The final comment is due June 19, and then we'll take those comments and respond to them as appropriate,” Cattanach said, adding that the guide will be updated to reflect the new states' laws, though such updates will likely take several months.

When asked how the guide will keep up-to-date on all the changes to state breach laws that may arise in the future, Cattanach noted that The Sedona Conference is still debating the best course of action.

“We are still struggling with that question,” he said. “What I anticipate is that we will have some sort of addendum, roughly on an annual basis, so we can add something to what is there, but we won't change the master document. But the final answer to that is by no means certain.”