For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.

What this all means for a business is that it should have an effective incident response plan, a critical component of one of the main phases (preparing internal procedures) of a comprehensive privacy and data security program. See e.g., CNIL guidance. This point was driven home at the Incident Response Forum West held in Los Angeles on February 6, 2019, where cybersecurity professionals in government and the legal industry spoke on issues surrounding data breaches and the components of an effective response plan, such as having a playbook, checklist and crisis communication plan. The plan should not just be a paper document, but businesses should conduct tabletop exercises to test and refine the plan. It all starts with knowing what data is being collected and where it resides.