A to-do list for incident response

October 11, 2022 | David Krebs, Amanda Cutinha

Cybersecurity incidents and data breaches arise without notice. Your organization may have fallen victim to a cyberattack or you may have received notice from a supplier that they have been attacked. Or perhaps a key employee has lost an unencrypted device that may have contained confidential business information or customer data. There are many examples of how an organization may be faced with the daunting task of investigating an incident, communicating with stakeholders, and plugging the holes that led to the situation.

These incidents require swift and decisive action in a context that is often lacking complete information or certainty of any kind. There may be competing interests among your stakeholders, both internally and externally. It is trite to say that cooler heads will prevail, but that has been our experience.

The following is a list of tasks that will help you put together an approach for responding to an incident. We will also highlight some “don’ts” to stay away from. Some of these workstreams will need to run in parallel; this is not a sequential list of steps.

Don’t ignore warning signs and escalate any suspicious activity internally

If you witness signs of suspicious activity or intrusion, do not ignore them. Instead, quickly escalate security concerns internally. This may include your Chief Information Security Officer (CISO), Chief Risk Officer, legal counsel and/or privacy officer.

Put together an incident response team

An incident response team is made up of key players in your organization as well as external cybersecurity experts and your legal counsel/breach coach.

If you do not have a playbook or plan to follow, identify the individuals internally that need to be involved in the management of this incident. These may include your CEO, CISO, Chief Risk Officer, in-house legal counsel and/or privacy officer.

If you have an incident response plan and have triggered the appropriate playbook, follow the steps. It is there for a reason.

Importantly, someone needs to be in charge of managing the incident internally. One cannot outsource accountability in these instances.

If you already retained external cybersecurity experts and legal counsel, reach out as soon as possible.

Engage your insurance provider

Engage with insurance provider; review insurance policies that may be triggered. Your insurance provider can also help you with qualified cybersecurity experts should you not already have a team and plan in place.

Contain and investigate the breach

External cybersecurity experts will be tasked with identifying how to protect systems and data from further exposure and identifying the security vulnerability that allowed for the attack. They will work to contain and investigate the breach from a cybersecurity lens.

Understand your statutory obligations

Legal counsel will assist in ensuring your organization understands its statutory obligations in federal, provincial, international and sector-specific privacy law. These may include mandatory reporting, notification, and record keeping obligations, among others.

Communicate with key stakeholders and employees

Communication is an important part of incident response – incidents cannot simply be brushed under the rug with the hope that no one finds out. However, keep in mind that it is important not to jump the gun on detailed communications. Don’t speculate in communications — it is perfectly acceptable to be transparent about the fact that an investigation is ongoing and will take time to complete.

If you haven’t already, notify the board as appropriate and communicate with employees that an incident occurred.

Identify key external stakeholders, which may include key customers that you want to share this information with before they hear it from another source.

Notify, as Appropriate

Consider notification obligations to notify individuals whose personal information has been compromised.

There may be contractual obligations to notify. These obligations may or may not be triggered by the event and they may or may not contain prescriptive timelines. If these contracts were not reviewed in advance, identify someone who can review and provide legal advice on how this impacts the response.

In addition to contractual obligations, there are legal obligations in federal, provincial, international and sector-specific privacy law. These will depend on whether the information at issue is personal information or personal health information, for example. Privacy legislation may also require notifying privacy commissioners, depending on the risk of harm. Consult with your legal counsel to determine these obligations and notify accordingly.

Preserve evidence and maintain privilege over communications

Along the way, it is important to document actions and decisions made during the incident, preserve evidence and maintain privilege over communications. In the event of a law suit or investigation by a privacy commissioner, this will serve your organization well.

Monitor

Cyber incidents often generate media attention that may be harmful for your business. Monitor media and prepare for potential reactive or proactive statements. It will be helpful to work with your breach coach in drafting these statements.

As well, in the case of malicious actors, monitor the web and dark web to ensure stolen information does not find its way onto the internet.

Learn for next time and conduct a post-incident assessment

Once operations are back to normal, reflect on the process. What worked well? What didn’t? Draft an incident response plan or work these into your existing incident response plan to ensure your organization is better equipped in case of another attack.

Review information provided by cybersecurity experts to harden systems and improve security including but not limited to the addition of increased technology safeguards, employee cybersecurity training, and regular system maintenance. Keep track of these improvements.


If you have any questions about incident response, our Privacy, Data Protection and Cybersecurity team are here to help!

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.