Michael Purcell recently wrote an op-ed for Corporate Counsel on Data Breaches: Why Prevention Isn’t Enough. The article mirrors the growing realization that security is a combination of prevention and preparedness. Our belief is that IT security should be built on prevention, detection and response. Part of response is building out, and maintaining, an actionable data breach response plan.
In this new article, Michael Purcell asks important questions that should go into planning for a data breach: “What kind of incident response plan should be in place following a breach? What should be included in the plan? Who should execute the plan? What is the proper blend of legal and IT responsibilities? How will the company respond to the inevitable lawsuits and investigations that follow?”
In the article, Purcell puts together a series of measures that in-house counsel could take to ensure organizations are prepared for a data breach. These include:
- Developing an Incident Response Plan
- Outlining how legal can work collaboratively with IT and other departments, which often is difficult
- Preparing for breach-related lawsuits and government investigations by preparing employees with regular reminders of their duty to preserve data and by preparing for e-discovery (which may mean calling in help or halting overwrite policies, for example)