With the escalation of cyberattacks, health care organizations should have an incident response plan in place, according to attorneys at Morgan Lewis who developed this data breach checklist. They won’t have time to plan when a ransomware attack or other breach is underway, according to Scott Memmott, Mark Krotoski, and Reece Hirsch. The attorneys recommend tabletop drills, where hospitals “dream up a worst-case scenario and simulate what decision-makers would do and assess the level of preparation,” Hirsch said. Contact Krotoski at mark.krotoski@morganlewis.com, Memmott at scott.memmott@morganlewis.com and Hirsch at reece.hirsch@morganlewis.com.
PHASE I: ALERT AND ORGANIZATION
-
Company alerted to possible data breach—record date, time, and method of alert
-
Notify internal Incident Response Team (IRT), consisting of a representative from
-
Information Technology
-
Legal/Compliance
-
Outside Counsel (Morgan Lewis)
-
Human Resources
-
Public Relations
-
Customer Service
-
Executive
-
-
Identify an Incident Lead for this incident—performs as project manager
-
Contact outside counsel at Morgan Lewis
-
Convene conference call of IRT
-
Consider hiring forensic technology partner depending on available internal resources and complexity of breach
-
Notify insurance carrier/understand scope of preauthorization or limitations on third-party vendor reimbursement
-
Check with counsel on proper role and implementation of the attorney-client privilege in the data breach investigation
PHASE II: INITIAL SCOPING BEFORE CONTAINING AN ONGOING BREACH
-
Identify, document, and preserve scope of compromise to the extent possible within 24–48 hours
-
Consider notifications or steps to take before stopping the breach that may prevent harm in the event the act of stopping the breach alerts data thieves that you have discovered them
-
Preserve any evidence related to the ongoing breach
PHASE III: CONTAIN THE BREACH
-
Be sure that the full scope of compromise is understood to the extent possible within 24–48 hours
-
Contain/arrest the breach—stop any possible flow of data to unauthorized recipients
-
Document results of containment effort
PHASE IV: INVESTIGATION
-
Root cause analysis
-
Classify type of breach
-
Hacking
-
Internal
-
Loss/theft of tangible data (computer, device, storage media)
-
Inadvertent disclosure
-
Loss with no known disclosure
-
Other
-
-
Full identification of data compromised
-
Type of information compromised
-
Sensitive personal information
-
Social Security numbers
-
Credit card information
-
Financial account data
-
Medical information
-
Usernames and passwords
-
Driver’s license numbers
-
Other sensitive personal information (disclosure of which could cause harm)
-
-
Other personal information
-
Contact information (name, address, email address, phone number, etc.)
-
Preferences, purchase history
-
Other information linked to a person that is not sensitive
-
-
-
Individuals whose information was compromised, including where they reside
-
-
Determine nature of any unauthorized recipients
-
Employee acquisition in good faith
-
Business partner
-
Trustworthy recipient who normally receives information of this nature
-
Unknown individuals, but definite disclosure
-
Lost information—may not have been disclosed
-
Suspected bad actor/employee not in good faith
-
Known bad actor/departed or departing employee
-
-
Assess known or discoverable actual use of compromised information
-
Undertake security updates necessary before notification
PHASE V: NOTIFICATIONS (IN LIGHT OF INFORMATION DEVELOPED IN PHASE IV)
-
Before notifications
-
Develop public relations plan for potential media inquiries
-
Consider notification to company board of directors or others who should be notified before public
-
Prepare for inquiries from affected individuals—call center or other
-
-
If criminal and depending on seriousness and other factors, notify law enforcement—local, FBI, Secret Service, or other
-
If required by law or recommended because individuals could do something to prevent further harm to themselves, make notifications to affected individuals. If made,
-
Include what happened, what the company has done, and what the individual can do to prevent any harm
-
Include legally required information and resources available from government agencies
-
Consider an offer of identity theft prevention/credit monitoring depending on nature of information compromised
-
-
Notifications to government agencies and Attorneys General as required by law
-
Other notifications as required by information at issue
-
Evaluate feedback from notifications and determine if additional steps/notifications are required
PHASE VI: POST-NOTIFICATIONS
-
Disclosures to investors, stockholders, Securities and Exchange Commission, securities disclosures, etc.
-
Cost recoveries—responsible third parties, insurance, other
-
Consider longer-term security upgrades or other measures to prevent reoccurrence or similar events
-
Analyze data breach notification plan/checklist for necessary changes in light of lessons learned
-
Prepare final reports
-
Executive report with a summary of what happened, how it was addressed, what notifications were provided, and steps taken to prevent future incidents of the same or similar nature
-
Technical report with detailed background of the event; evidentiary backup for analysis, decisions, and conclusions; and evidence of preventative measures
-
REMINDERS
-
Maintain confidentiality—update IRT and executives frequently; other disclosures only to those who need to know
-
Preserve evidence and information for future investigations
-
Document events with dates and times; record reasons for determinations made
-
The European Union General Data Protection Regulation has a 72-hour deadline for some notifications; check early with outside counsel about whether it applies and how to manage it.