Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Creating a Government Response Plan

You have suffered a data breach. Various pieces of personal information of consumers that you maintain in your databases has been exposed to potential data thieves. You've investigated, fixed the potential security issues, and notified the affected consumers as required by law. One day after the notification letters go out, you get a phone call from an attorney at the Federal Trade Commission. What do you do?

Hopefully, you have created a Government Response Plan to deal with any inquiries from government agencies, whether federal or state. There are various components of a Government Response Plan, and you should consider the following when creating such a plan.

First, know who you may be dealing with. Among the FTC and the states, there are many agencies that may contact you. In fact, you theoretically could be contacted by every state if your breach involved the unauthorized access of personal information from citizens of every state. While the individual who may contact you generally cannot be determined, you should be familiar with the agency tasked with investigating breach incidents.

Second, create a point of responsibility for all government contacts. This person should be someone of sufficient authority in your organization to be able to speak for the company. It could be outside legal counsel. All government inquiries should be directed to this person. No one else in your organization should speak to a government investigator. Thus, it is important that you do not offer up other employees in your organization to speak with the government agencies unless absolutely necessary. Do not permit interviews of your IT professionals. Although they may know the details of the breach better than anyone, you should direct all communications through one point of contact initially.

Third, create potential talking points. All data breach incidents that your organization may suffer have one thing in common -- they happened to you, despite your best security efforts. Know what security was in place before the breach and how your company will respond. Any government investigator will be interested in these details, and they can be planned in advance. While the exact circumstances of the breach incident will not be known until it happens, the details of your company will not change. Know them. You will be more prepared to respond to government questions if you know the basics.

Finally, ensure that your employees understand the importance of limiting communications with government agencies to the designated representative. No other person in your organization should be speaking with the government.

The above points should be part of any Government Response Plan. Investing the time and effort now to build your plan may save you time and expense during the data breach.