Understanding the Data Breach Response Process | Practical Law

Understanding the Data Breach Response Process | Practical Law

A discussion of key steps an incident response team should take in responding to a data breach. This Legal Update contains helpful links to Practical Law's data breach response resources.

Understanding the Data Breach Response Process

Practical Law Legal Update 3-614-0205 (Approx. 4 pages)

Understanding the Data Breach Response Process

by Practical Law Intellectual Property & Technology
Published on 26 May 2015USA (National/Federal)
A discussion of key steps an incident response team should take in responding to a data breach. This Legal Update contains helpful links to Practical Law's data breach response resources.
Responding to a data breach that exposes individuals' personally identifiable information (PII) typically involves the following stages:
  • Verification of the breach.
  • Containment and mitigation.
  • Investigation and analysis.
  • Notification of affected persons, law enforcement, regulators and other required parties.
  • Post-response review to improve processes.
Data breach response is not purely linear and these stages and the activities associated with these stages frequently overlap.

Before an Incident Occurs

Companies should have a plan to respond to a data security breach in place before a breach occurs. In fact, several compliance regimes, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), require that businesses have incident response plans.
While the plan's specifics will vary depending on the business's nature, every plan should include:
  • A standing security breach incident response team.
  • A written incident response plan that sets out procedures to follow in the event of an incident.
For more detailed information on preparing for a data breach, see Practice Note, Breach Notification: Preparing for a Data Security Breach.

The Role of the Incident Response Team

The first step in responding to a possible breach is to convene the incident response team. The incident response team should understand its role in managing the response and the response plan's procedures and is responsible for:
  • Managing and coordinating the organization's overall response efforts.
  • Investigating and responding to the data breach in accordance with the organization's incident response plan.
Each incident is unique and requires a specific response. However, in responding to a breach, the response team generally should:
  • Determine the scope of the internal investigation.
  • Collect data related to the breach.
  • Appoint someone responsible for keeping a response log that records the actions taken during the investigation.
  • Institute and manage internal and external communications protocols.
  • Consider whether to:
    • notify outside counsel;
    • notify law enforcement or regulatory authorities and, if so, when; and
    • engage specialized third-party consultants to assist in capturing relevant information and performing a forensic analysis.
  • Conduct follow-up reviews on the effectiveness of the company's response to the breach.
For detailed information on each step to take in responding to a data breach, see Data Breach Response Checklist. For more helpful resources on data breach notification and applicable laws, see: