- Mitigate risk through incident response documentation.
- Well-documented incident response can provide credibility with regulators, investors, and the public.
- Best practices for incident response documentation.
Read more below.
In the rush of incident response, the focus is on investigation, assessment, and notification to meet regulatory deadlines. Documentation may be merely a by-product of the process. But, especially when the initial rush is over, documentation is the key to mitigating multiple risks, according to Red Clover Advisors founder, CEO, and consultant Jodi Daniels, so it’s worth some strategic investment. As Daniels told us in a recent interview, if trouble arises, “The one with the best documentation wins.”
Documentation During Incident Response
Every incident should be fully documented. As Daniels says, “You need a paper trail.” However, she advises being mindful of what’s documented in the early stages of incident response.
“At the very beginning, there can be a lot of conflicting information and uncertainty, and you want that information kept mostly verbal and confined to a few people on the front lines, to minimize risk that it could get outside the organization. Uncertainty is normal in the early stages of incident investigation, but to people outside the process, uncertainty could look like confusion or changing the story.”
That said, Daniels reiterates that documenting solid facts and actions taken is essential. “Without documentation, you can’t prove what you did and why.” Your data inventory/data map becomes part of the documentation, enabling you to quickly capture detailed information on the affected data, where it lives, existing risk assessment, and mitigation related to that data.
It’s also best if the “paper” trail is actually a digital trail in an incident response system that is available to all members of the incident response team. An automated incident response platform ensures that documentation is automatically created as a by-product of the incident response process, rather than slowing the process down.
And shared access to it helps keep all stakeholders in line. As Daniels says, “A data breach is a complex situation where you have a lot of parties coming together, so it’s important that you’re all working from consistent facts, and everyone is communicating consistently. And if the players change, for example, if you were to have a new CISO or counsel, it’s critical that the new person has that history.”
She also observes that there are advantages to having incident response documentation kept outside your network.
“If I can’t get to my systems in case of a ransomware attack, how can I respond? You have to have an incident response plan and tools that are not on your network, whether they’re printed or you use a third-party IR platform. Also, after a cyberattack, you don’t know if the bad actor is still in your system. Mounting the response effort outside the system reduces the likelihood of a bad actor tracking what you’re doing. You don’t want to show your chess pieces.”
Documentation and Perception
Daniels says the greatest value of a well-documented incident response is credibility, whether with regulators, investors, or the public. “Show what you’ve done. It proves that you didn’t ignore a problem. You didn’t sit on it. You did the right thing.”
According to the 2021 Ponemon Institute Cost of a Data Breach Report (CODB) the average data breach cost is now $4.24 million, a 10% increase from the previous year. And the largest costs, at 38%, are due to lost business.
But the 2020 report established that a well-defined, tested incident response process is the biggest factor in mitigating the cost of a breach, with savings averaging over 75%. Since lost business is the largest breach cost, it’s certainly worth investing time and resources in good documentation that boosts credibility and helps minimize reputational damage.
Daniels says many organizations worry about the perception of investors, as well as the public. (It’s one reason why Fortune 500 companies are increasingly addressing privacy risks in their annual SEC filings.) But she points out that proof of good incident response could actually be a selling point.
“Many investors are accustomed to companies not having a strong incident response program, so having proof of one is a positive. Be honest. Any data breaches will come up during due diligence anyway if you sell, and the investor is buying based on the strength of the people, too. If you’re not forthcoming, they’ll think ‘If you aren’t trustworthy, why am I buying you? Besides, bad actors will sometimes pounce on a vulnerable system during an acquisition or big investment, so an investor will be pleased to see that you’re prepared.”
Documentation and Regulatory Risks
Of course, documentation is a huge mitigating factor in avoiding regulatory penalties. It can show that you met compliance deadlines, how you made notification decisions, and that you’re responding consistently—all things that regulators will look for. While it’s always a benefit, Daniels says some jurisdictions put particular emphasis on documentation.
“GDPR is a documentation-heavy law. You need to prove what you’ve done. Under CPPA, also, you need to be able to prove that you’ve been compliant. And there have been lots of cases under CCPA already.”
Documentation and Litigation Risks
While many jurisdictions don’t provide an individual right of action for privacy violations, Daniels says “There will always be some people who are trying to get what they can. If you can’t prove what you’ve done [with documentation], you can’t defend.” As the Perkins Coie litigation report points out, the CCPA doesn’t provide for individual right of action for violation of privacy rights alone, but that hasn’t stopped consumers from filing claims that a defendant violated their rights by being non-compliant.
Daniels says documentation can also work in an organization’s favor if they are the claimant. “You might analyze your documentation and find that one vendor is a consistent cause of incidents. With evidence in hand, maybe you take that vendor to court.”
Best Practices for Incident Response Documentation
Like every other part of an effective incident response documentation, documentation begins with preparation. You have to plan for it in your tools and process, and you need solid data inventory in place to jumpstart incident assessment and to document where personal information exists. Daniels also advises:
- Start to document only when you have more solid facts or a plan.
- Don’t start to document until in-house and external legal counsel are involved.
- Don’t document without any mitigating context. For example, if PII was exposed but encrypted, include both those facts in the documentation.
- Always include the forensic report in incident documentation.
- Get the insurance company involved so you’re also documenting what they need.
- Document all actions and your plan of attack to show you’ve been on top of it. In fact, document any type of mitigation, whether in response to an incident or proactive.
- Control access to the documentation carefully. (For example, you wouldn’t want a disgruntled employee grabbing privileged information and making it public.)
Daniels emphasizes that detailed planning and preparation are essential to every aspect of incident response.
“You should have a documented plan, and you should know the people who will be a part of it: in-house legal, crisis communications, etc. Who are the backup people if they’re not available? Who needs to add to and who needs to be copied on the documentation? Know your insurance provider and coverage, and who’s on their panel.
Once you’ve got a plan, review and update it. Run simulations, both scheduled and unscheduled. When the time comes, the incident will be different than what you rehearsed, but you’ll be far better off having done something than nothing.”