Skip to main content

Incident Response Plan – Why You Need One and How to Create It

The old adage “If you fail to plan, you are planning to fail” rings true across many areas; information security and data breach response are no exceptions. Information is a valuable asset of every business, and when the security of that information is breached, organizations face a minefield of potential liability and reputational damage.

After helping our insureds respond to more than 30,000 data security incidents, Beazley’s Cyber Services team knows that organizations with a well designed incident response plan typically negotiate this minefield far better than organizations without a plan in place. A haphazard response often makes the consequences of a data breach much worse.

What is an incident response plan?

An incident response plan (IRP) is a written roadmap by which organizations intake, evaluate, and respond to a suspected or actual breach of computer systems or the theft, loss, or unauthorized disclosure of personal information. An IRP is distinct from a business continuity or disaster recovery plan. Unlike those documents, the primary purpose of an IRP is to manage privacy or security incidents in a way that limits damage, increases the confidence of external stakeholders, satisfies legal obligations, and reduces costs.

The incident response team

Typically, organizations start the IRP drafting process by first appointing an incident response team (IRT) – i.e., the individuals who will actually perform the substantive tasks at hand. Recognizing that no two organizations are alike, we recommend designating a primary and secondary representative from at least each of the following stakeholders:

Classifying the threat level

The next key area to focus on is incident classification. When it comes to information security incidents, no two are entirely alike, and each will require different response mechanisms and IRT member participation. A good IRP foresees this and triages incident types based on an easy-to-use set of criteria. Here, for example, are three simple threat levels:

Preserving evidence for investigation

Preserving evidence for forensic analysis can be crucial in incident response, and a good IRP recognizes that in certain situations the desire to restore operations must take a back seat to preserving the environment for forensic analysis.

Communicating about the incident

A well thought IRP does not, however, just stop at the technical component of the investigation⁵. It continues to provide a roadmap for how to move forward once the technical investigation has confirmed the theft, loss, or unauthorized access to personally identifiable information. To that end, a well designed IRP speaks to the actual methodology behind responding to a confirmed “data breach,” as that term is defined under the laws that apply to the organization and the type of data.

The IRP is not intended to take the place of actual legal analysis or public relations guidance, but it should outline what the organization needs to accomplish once it appears that a data breach may require notification to affected individuals, regulators, or the media. Without set guidance in the IRP, organizations struggle on what to say, how to say it, and when to say it. Quite often, even well-meaning intentions not filtered through the IRP result in unnecessary damage to the organization.

Avoiding common pitfalls when drafting an IRP

If you’re in the early stages of assembling an IRP for your organization, there’s no need to reinvent the wheel. But whether you’re just starting or have a plan developed already, we recommend steering clear of the following issues we see present problems for organizations over and over again.

The “B” word

The IRP is an “incident” response plan, not a “data breach” plan. “Data breach” is a legal term with a specific meaning. A good IRP avoids using that term entirely. Members of the IRT should not refer to an incident as a “breach” in writing or during the investigation. Leaving an email or paper trail of “breach” references could be particularly problematic if the investigation concludes notification is not required because there is no breach under relevant law. Don’t provide ammunition for regulators or plaintiffs’ attorneys.

Conclusion

The reality of information security today is that the idea of an “impregnable” network perimeter, able to keep intruders at bay, is long gone. Whether it comes about because of a determined and skilled hacker or simple human error, a data breach is no longer an “if” but a “when.” To assume otherwise, and not prepare for the minefield, will greatly harm your organization’s brand, balance sheet, and business. But with a well thought-out IRP that follows the principles outlined above, a plan that you test and update regularly, your organization will be better equipped to turn a potential crisis into a manageable bump in the road.

¹ Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures § 12.10.1 (ver. 4.0.1 June 2024), https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
² 45 C.F.R. § 164.308(a)(6), discussed in U.S Dep’t of Health & Hum. Svcs., HIPAA Security Series no. 2, Security Standards: Administrative Safeguards, http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/ securityrule/adminsafeguards.pdf
³ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice I.A.2(c), 70 Fed. Reg. 15,736 (Mar. 29, 2005), https://www.gpo.gov/fdsys/pkg/FR-2005-03-29/pdf/05-5980.pdf
⁴ See, e.g., Standards for Protection of Personal Information of Residents of the Commonwealth, 201 Code Mass. Regs.§ 17 
⁵ Indeed, for information held in certain formats (e.g., paper) or involving simple and inadvertent disclosures, the technical members of the IRT may be entirely unnecessary
⁶ According to KPMG, 19% of retail shoppers would not return after a hack compromising personal information, and almost 50% of the remainder would take three to six months to return. KPMG, Consumer Loss Barometer (July 2016), available at https://info.kpmg.us/consumer-loss-barometer.html