Information, Privacy and Data Security Post
Ten Incident Response Tips – Part 2
Date: December 13, 2016
In Part 1 of this two-part series on data security incident response, we identified five “norms” to guide your incident response process:
- Initiate a response as soon as possible
- Watch your assumptions
- Keep the ball moving
- Don’t rush
- Obtain objective input
Here are five additional norms to follow:
- Obtain technical input
Not every incident demands IT forensic expertise, but if the root of a problem is likely to be based on technical (as opposed to human) factors, you may need such special assistance. IT forensics is also necessary to reliably determine the scope of a network intrusion and reliably re-secure a network after a successful outside attack. Working with an expert supports the proper analysis of technical matters and the proper preservation of digital evidence.
- Take a broad view of notification
Notification may be required by statute and contract. The existence of a common law duty to warn of foreseeable harm is also a concern. Even in the absence of a legal duty, however, consider whether notification is appropriate. And in all cases, ask if you are telling individuals because they are likely to be harmed, because it’s the right thing to do to protect a relationship or reputation or because they likely already know?
- Put yourself in their shoes
When writing a notification and other communications, ask “What would I want to know about this?” The individuals you notify will be uncomfortable because they are facing an unknown risk. Help them by giving all of the basic (and reliably known) facts that shed light on the risk. It may also be appropriate in some circumstances to carefully convey your assessment of the risk.
- Demonstrate commitment to doing better
Avoid platitudes like, “We value your privacy.” Demonstrate your commitment to privacy protection by committing to a meaningful remedial plan. Draw on a strong root cause analysis and make a genuine commitment to things that are likely to be effective. Saying only, “We plan to amend our privacy policies in response to this incident” is likely to be perceived poorly.
There is legislation in most Canadian provinces and territories that deems an apology to be privileged – meaning it cannot be considered as an indication of fault or liability by a regulator or a judge. Consider acknowledging what happened, accepting responsibility and expressing regret. You can (and normally should) do so without admitting that you were negligent. Have a senior spokesperson author the notification letter.
If you need advice about an incident you are dealing with now, please call any member of our Information & Privacy Group. With extensive expertise on data breach management, we are well-positioned to provide you with the advice you need to manage the issue and solve your problems.
The article in this Client Update provide general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©