A General Counsel should plan on preparing an initial briefing to a CEO shortly after a data breach has occurred. Advance planning will help you achieve this goal.
BEFORE THE BREACH:
- Locate outside counsel with experience in computer intrusions. Identify an individual who understands the technical, legal and regulatory implications of particular types of breaches.
AFTER THE BREACH:
- Get a debrief from whomever will present the information about the compromise (i.e., the IT Director, CIO, HR Director, etc.).
- Direct the IT staff to freeze all internal audit trails.
- The GC then needs to convene a meeting of the company’s incident response team which will then proceed through executing the company’s previously adopted incident response plan.
- The GC should then, if he/she has not already done so, inform the CFO. A decision will then need to be made on whether or not this particular breach requires you to notify law enforcement. This will all be spelled out in your incident response plan.
- An analysis of the company’s insurance policy should be undertaken to determine what, if any, insurance will cover the breach, any loss, or other costs associated with the breach.
- Immediately start keeping track of all costs (time, expense, damages) associated with the breach. Finally, contact the CEO.
- Each of the foregoing steps will help the GC provide the CEO with the information necessary to evaluate the breach and make timely and informed decisions.