Skip to content

How to Make Your Incident Response Plan

Canopy Team February 19, 2019
Data breach response team checking off tasks on checklist



At Legalweek New York 2019, Canopy attended the Beyond The Attack – Legal & Ethical Considerations In Breach Response session. The panel educated us about the interplay between corporate, legal and IT in responding to a data breach. There was one resounding message: have a plan for incident response. For good reason, this message is repeated at almost every conference Canopy attended in the past year. According to the Ponemon Institute's 2018 The Third Annual Study on the Cyber Resilient Organization, “only 24 percent of respondents say they have a Cyber Security Incident Response Plan (IRP) that is applied consistently across the enterprise.” Below are four pragmatic data breach response plan design considerations:


1. Make sure incident response is covered under attorney-client privilege.

The incident response team must understand how to shield itself from discovery of documents protected by the attorney-client privilege and the work product doctrine. Simple process missteps can eliminate or waive these protections. When developing an incident response plan, consider new and evolving case law related to attorney-client privilege and the work-product doctrine of data breach work.


2. Perform regular tabletops.

“Tabletops” are discussion-based table exercises for the incident response team to discuss roles in a hypothetical breach. This approach is a low effort means to test the team's understanding of the plan. Tabletops stop short of testing how the team would respond to a data breach incident. Panelist Jennifer Beckage, Esq. CIPP/US stated, “Using experienced professionals is critical when creating an incident response plan and performing table top exercises.”

“Using experienced professionals is critical when creating an incident response plan and performing table top exercises.”

Jennifer Beckage, Esq. CIPP/US

3. Have a communications plan.

A plan is not good enough unless it is regularly tested and updated. In one instance, although a company had a plan, the contacts were not maintained. Valuable time was lost identifying the right person to contact because of reorganization and employee departures. One panelist went as far as to recommend updating the contacts in your cell phone.


4. Retain vendors prior to the incident.

Material breaches require a wide array of skills to properly respond and remediate. Contracting vendors during a data breach can be likened to trying to jump on a train going 100 mph. Supply chain activities should be minimized during a data breach to minimize the organizational impact of the breach.