While it isn’t something most secure destruction companies or information technology asset disposition firms ever want to deal with, being prepared for security breaches is necessary. Business owners need to be ready for an investigation at any time.
That is the reasoning behind the Phoenix-based Secure Information Governance & Management Association (i-SIGMA) webinar titled When the S#@t Hits the Fan: Planning for Investigations and Accusations. It was one of 10 webinars in i-SIGMA’s Road to Recovery series this summer. Attendees heard from Angie Singer Keating, CEO at Reclamere, a data destruction and data security company based in Tyrone, Pennsylvania. She shared real-world situations and tips on how to respond.
Defining an incident
Many might think an incident is always a disaster; however, it might not be that severe. During her presentation, Singer Keating shared that anything outside of your normal operations should be considered an incident, whether it involves personnel, equipment, a process or a combination of those things.
Those incidents can play out in many ways, including insurance claims, loss of revenue or damage to a firm’s reputation.
They also could result in a lawsuit. “I can tell you from firsthand experience that those types of incidents will take several years to play out,” Singer Keating said of incidents that result in litigation.
She noted how essential evidence is to document these situations, whether verbal, digital or physical.
Singer Keating said IT often is at the center of incidents but not always. “Now that’s not to say that … you would only need to have an incident response plan for things that involve IT or electronic data,” she added.
Workplace issues, such as harassment and substance abuse; natural disasters; or stolen property also could result in an incident. Singer Keating said evidence in those situations could be critical to resolving them in a satisfactory, timely way.
Have the best response plan
With cyberattacks, workplace incidents and data breaches, there isn’t a one-size-fits-all plan to incident response. When explaining how to ensure a plan is in place, Singer Keating used an IT incident at her firm as an example, adding that many steps can be substituted to formulate a similar plan.
In creating a plan that can be shared across a company, Singer Keating said graphics and images are helpful. They can clearly show the correct steps and break them down by each type of incident.
“Who is going to do the initial identification? Who is going to be logging and categorizing it? Who is going to do triage?” she asked, displaying a flow chart during the webinar. “Then, how is it going to map out from that point, and who is going to be responsible?”
Singer Keating said similar incidents could have vastly different responses. For example, a data breach could be less impactful if the information is less sensitive. A company that has a data breach that potentially exposes contact information compared with a data breach that exposes confidential medical information would have a different response because of the different impacts related to the breach.
“Once an organization develops its response program, it will find it necessary to establish relationships with key departments and third parties,” one of Singer Keating’s slides indicated.
She added that third-party relationships need to remain strong and stable, that way a company is prepared to work with these organizations and is confident in how they will handle sensitive information. Third parties can include law enforcement, human resources and a company’s legal department or external legal counsel.
“I can tell you that in incident response, one of the biggest challenges with vendors is who do you talk to,” she said. “The bigger these third-party vendors are, the more difficult it is to find the right person to participate in the incident response process.”
Singer Keating said that when a client’s data is involved, it isn’t always about notifying that client when an actual incident happens because often a contract is in place that specifies when to do so. It’s important to do an internal investigation before notifying a client, she added, that way you are going to them with the most complete information possible.
“Whenever there is an incident, it’s really important for your employees to know who they should go to immediately,” Singer Keating said. “The last thing you want is for an employee to make a decision and take it upon themselves to notify a client about something or to admit [something] to a client before an investigation has even been done."
Depending on the size of your organization, Singer Keating said only one person should be in contact with clients or third parties. That person should be designated in your incident response plan so everyone in the company is aware of who is in place to handle such communications.
Keeping track of incidents
Singer Keating closed her presentation with an explanation on the importance of keeping track of incidents involving your company. It isn’t just about keeping track of items during an investigation, though; it’s also about keeping track of all incidents collectively, so you have somewhat of an overview when needed.
Keeping track of incidents also serves as a report card of sorts and allows company managers to see how the business has handled them and how they have been resolved. Plus, many of those logs and documents are required by regulators.
While incidents often are avoidable, they’re still going to happen. Singer Keating’s advice was for companies to do most of the investigative work early on so they are prepared for such incidents when they happen.