Practice Makes Perfect When It Comes to Data Incident Response
Time is critical when a data incident or breach occurs and the best time to practice against and assess such events is now and frequently, lawyers and cybersecurity specialists said.
January 31, 2019 at 11:13 AM
3 minute read
When a data incident occurs, "who you gonna call"? The answer, unfortunately, isn't the Ghostbusters, according to speakers at a Legalweek panel titled "Beyond the Attack—Legal & Ethical Considerations in Breach Response." For them, help should come from a well-thought-out and practiced internal cybersecurity plan involving key stakeholders.
To be sure, while any company faces the possibility of a data breach, the risk isn't uniform across the economy. "Every company faces a different threat landscape depending on who you are and what data you have," said Bryan Rose of technical consulting company Stroz Friedberg. "Everyone should try to get a clear understanding on a recurring basis as to what your particular threat landscape is and how it's changing."
There are, however, ways that all companies can mitigate their risk. For example, succession planning, including discontinuing access to employees that haven't left the company but whose job requirements have changed, can be a preventive step for guarding confidential information, said Margaret Gloeckle, A&E Networks' vice president and privacy and compliance counsel. She advised that companies perform routine audits to assess who has access and to what.
When a data incident escalates into an actual breach, Gloeckle suggested organizations have escalation plans in place.
"The escalation process is very critical because if you think about some of the regulations we have seen specifically around [New York State Department of Financial Services], there's a notification period of 72 hours," Gloeckle said. "If you think about the [General Data Protection Regulation], they tell you [that] you need to notify without undue delay and the 72-hour clock starts to tick and they also have to update regulators in that 72-hour window. Escalation and communication are key pieces in implementing your incidents response plan."
The panel also recommended organizations perform routine tabletops—cybersecurity training exercises that bring key stakeholders together and stimulate a data breach and test the response plan.
The call for tabletops, cybersecurity processes and practice can seem daunting for entities of any size. But the panel's moderator, International Legal Technology Association CEO Joy Heath-Rush, suggested all organizations must begin proactively guarding their data.
"I know probably if you are in a smaller organization, you're hearing this and saying, 'I don't have these analysts, I don't have this great bundle of stuff,'" Heath-Rush said. "You can find resources that can help you identify your most low-hanging fruit for vulnerabilities and make sure you are addressing that."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Friday Newspaper
- 2Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 3Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 4NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 5A Meta DIG and Its Nvidia Implications
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
