Located in the Risk Management, Compliance, or IT department will be a team, the first responders, who collect the information of an incident and determine if the event is a breach or not; and if it is, who is going to manage it.
Caerleon Security has a process that the first responder team can use to analyze the applicable regulations (federal, state, local, AG guidance, court findings, PCI or OCR rulings) as to the required actions as well as deadlines that must be met. Their assessment should include:
- Assessments of potential regulatory exceptions and safeguards, both federal and state
- Highlights of possible areas of concern that might increase liability
- Size of the breach
- What kind of information was compromised?
- The nature of the people whose information was compromised. Are they litigious? In the public eye?
- 3rd party liability analysis (including contractual analysis)
- What are the steps for remediation?
- Deadlines for response/notifications (where applicable)
- Notification requirements (where applicable)
One of the findings that will emerge from the incident triage process is the question: “Do we (the company) have the ability to manage this event ourselves? Or would we be better served by bringing in experts?
This decision process should be agreed-to at the highest level in the company and promulgated to all effected departments. This will eliminate the hesitation and delay that seem to have made the Target and Sony breaches so damaging – the hesitation, the delay, and the lack of a proactive plan implemented by experts.
Caerleon Security would welcome the opportunity to show a company why we are the ideal choice to be your breach management team.