DO: Decide on a definition of "breach" that incorporates your company culture, regulatory mandates, and relevant state law.
DON’T: Sweep an incident under the rug or think that "ignorance" is a valid defense.
DO: Act quickly to ascertain the details about what happened, and decide if the facts are considered a "breach".
DON’T: Rush an investigation or discovery phase with self imposed deadlines. Thorough examination and a methodical approach take time.
DO: Maintain records of every element of the investigation that led you to conclude that you have had a data breach incident. If there is a law enforcement investigation underway, obtain documentation and written recommendation for your records.
DON’T: Issue a press release or put your CEO into a press conference until all facts have been confirmed and you’ve planned every aspect of the data breach response. Particularly if you are still deciding if your event constitutes a breach or there are particularly unique or sensitive circumstances at play.
DO: Assign responsibility to the member of your team that will take the “lead” on managing the incident (this is most commonly a member of your information security or legal/privacy teams) and every member of the team by name and role (we can help you with this).
DON’T: Get too many cooks in the kitchen, or "sound the alarm" company-wide too early. Many recent events involve insider threat, and this could impede an investigation.
DO: Decide upon the best response for your organization when faced with electronic threats. For example: does your organization wish to immediately cease a penetration or attack, or monitor the activity with trained professionals to build a case for later use. Some techniques or actions are mutually exclusive.
DON’T: Destroy or compromise any documentation or systems that may be related to the incident, including but not limited to email, systems logs, computers and drives, and internal procedural documents.