chevron-down Created with Sketch Beta.

Law Technology Today


Demystifying Incident Response and Data Breach Notification



  • Key Performance Indicators (KPIs) have become commonplace in today’s business landscape, so much so that some may think of it as merely a buzzword.
Demystifying Incident Response and Data Breach Notification Yalanskyi

Jump to:

As the number of high-profile cyberattacks and data breaches has increased in recent years, more companies have made investments to better secure their systems and develop incident response plans. While these are essential concerns, a firm’s obligations don’t simply end when a threat is removed from the network, and they are able to resume normal operations. They must also notify those whose data may have been impacted by the breach. This notification process can be daunting, but with preparation, strong defenses, and the aid of an experienced breach response team, the notification process can be tamed.

Before a Breach Occurs: Proactive Steps

The mantra that suffering a data breach is a matter of “when” rather “if” still stands. There are numerous proactive steps organizations can take to better prepare for when that time comes. First and foremost, this involves the implementation and maintenance of a strong security program, which will go a long way to ease the steps leading up to a notification. But there are also further nuances to be aware of:

  • Know what and where sensitive data is handled within the organization.
  • Implement a Cyber Security Framework which encourages strong cyber security practices.
  • Assess and test logging capabilities on a regular basis.
  • Have a robust and tested back-up strategy.

During a Breach: Preservation

During the incident itself, remediation and business continuity will be on the forefront of everyone’s mind. Organizations that respond to incidents best are able to perform the following expeditiously:

  • Retain or mobilize an incident response team.
  • Minimize the time between incident and preservation.
  • Know where transient data exists within information systems.

After a Breach: Data Mining and Notification

Once an organization has identified and preserved all the data exposed in the breach, the process of data mining can begin. Put simply, data mining is the programmatic searching and manual review of exposed data to determine what information has been exposed. Data mining directly produces the notification list, it can be made more effective by:

  • Maintaining communication with the incident response team to guide identification of data at risk.
  • Including relevant stakeholders, including legal counsel (internal and external), trained forensic examiners, the data mining team, and technical personnel with oversight of the data systems.
  • Being prepared to correlate data with live systems and structured data sources.

By implementing these data processes before, during, and after an incident, the data breach notification process can be dramatically simplified. In doing so, unforeseen costs are less likely, and the chances of logistical problems are minimized. What’s more, a strong cyber security foundation will go a long way to prevent and appropriately respond to a data breach, as the data is secured, stored and preserved using industry best practices.

Kroll’s Cyber Risk team has years of experience helping businesses navigate this difficult terrain. Our end-to-end proactive response and investigative services help organizations at any stage of a cyberattack, specifically to support effective breach notification. Kroll’s cyber security professionals can help clients design their system at the outset to ensure all necessary data is easily accessible and examinable. When a breach occurs, Kroll offers remote or on-site assistance to help organizations complete data preservation. Finally, after the fact, Kroll can step in with the right team to mine the data and be able to conduct notification. Ultimately, Kroll enables its clients to minimize risk by protecting customer data and fulfilling legal and regulatory obligations, all while maintaining a close eye on the organization’s reputation.