Incident Response: 3 Easy Traps & How to Avoid Them

Incident Response: 3 Easy Traps & How to Avoid Them
Sage legal advice about navigating a data breach from a troubleshooting cybersecurity outside counsel.

While a serious security incident may be a rare occurrence inside an organization, as a troubleshooting outside counsel, I witness a range of incidents that run the gamut from serious to strange and are often riddled with common pitfalls. It never fails that the event seems to occur at the most inopportune times, such as Christmas Eve or when I'm standing in the middle of the frozen food section of the grocery store (both real-life examples) — the phone rings, and on the other line a client is experiencing their worst day ever. My job is to jump into the mix and begin troubleshooting the legal risks. Here are three traps I frequently see security teams fall into, and how best to navigate them.


Trap 1: Failure to Have a True Incident Response Plan (or to Follow It)When was the last time you dusted off the ancient incident response plan and actually read it? No matter how sophisticated your organization may be, or how many times you've conducted a tabletop exercise in the last few years, it is important to review the plan and refresh it based on what incidents your organization may face today.


Do you know who is going to call outside counsel? Do you know who is alerting the insurance company? Or, better question, do you know what event triggers the alerting of both? These are often steps that need to happen either immediately or rapidly after first learning of an event.


Often, in the heat of a serious incident, the plan gets pushed to the wayside. Control of the incident response gets wrestled away from the CISO and may get placed in the hands of th ..