Security Breach Response Plan Toolkit

Created by the IBM Corporation and Hogan Lovells US LLP as part of the IAPP’s Pro Bono Privacy Initiative


Why Use This Toolkit?

Implementation of an effective personal information security breach response plan enables organizations to fulfill their responsibilities to those individuals and entities that entrust the organization with personal information. Following asecurity breach response plan should enable organizations to comply promptly with legal requirements that apply to the organization as an owner and custodian of personal information, and to reduce the risk of a data security breach that causes serious harm to the organization’s reputation and finances, especially because of an inadequate response.

Scope of this Toolkit

The following questionnaire is intended to be used by an organization developing a personal information security breach response plan for data security breaches involving personal information. The results of the questionnaire will help organizations identify key information relevant to the creation of a security breach plan tailored to their particular needs and operations. The questionnaire and its responses therefore serve as a starting point for an actual Plan.

Key Definition: Personal Information

For purposes of this questionnaire, Personal Information means any information relating to an identified or identifiable person (employees and consumers) and includes, for example, a person’s name, physical address, phone number, e-mail address, social security number (SSN), credit card numbers, driver’s license numbers, passport numbers, date of birth, savings account, checking account, insurance policy or other health account or financial account number or information, and health or disability information. Personal Information includes employee background checks, including credit reports, and any records that are derived from this information. Additionally, Personal Information includes consumer credit reports and any records that are derived from this information that relate to an identified or identifiable consumer.

The above definition of Personal Information is broader than the definition of Personal Information under some breach notification laws, but sufficiently canvassing the potential sensitive data elements, even if they extend beyond the scope of certain data breach notification laws, is a necessary starting point.

Security Breach Plan Questionnaire

Collection of Personal Information

1.  What are the categories of individuals from or about whom your organization collects Personal Information (e.g., employees, volunteers, customers/clients, potential customers, website visitors, business contacts, others)?
2.  For each category of individual identified under item 1, what types of Personal Information are collected? Does your organization collect health/medical (including medical insurance) or financial information (including credit cards, debit cards or bank account numbers)?
3.  Is your organization a “covered entity” or “business associate” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? (See the U.S Department of Health and Human Services’ Summary of the HIPAA Privacy Rule for more information.)
4.  Are the individuals from or about whom you collect personal information located primarily in certain U.S. states? Outside of the United States? If feasible, identify the primary states or countries of residence of these individuals.
5.  In what format or medium does your organization store personal information (e.g., paper files, laptop/desktop computers, backup tapes, other portable media)?
6.  Does your organization encrypt personal information that is stored electronically? In databases? Back-up tapes?
7.  Does your organization encrypt the transmission of personal information (e.g., through email or wireless transmissions) and if so, all personal information or just certain specific types or files?
8.  Does your organization utilize access controls on its databases?
9.  Does your organization monitor and limit access to databases containing personal information to just those employees with a business need? If yes, is that process documented and is there periodic review of access rights?
10.  Do your databases have logging that, in the event of an external or internal breach incident involving the database, would enable identification of those employees that accessed records and changed records?

Third Party Relationships

11. Does your organization use third party service providers that collect, store, transmit, or otherwise handle personal information?
12. Has your organization entered into any agreements with third parties that would require notification to the third party in the event your organization experiences a security breach (e.g., if you serve as a third party service provider to another organization)?


13.  Is there a particular person or group of persons responsible for developing and implementing privacy and data security policies and procedures for your organization? Please identify these persons.
14.  Please identify the appropriate individuals from the following departments (or their equivalents within your organization) that could serve on a security breach response team:
          a. Office of General Counsel
          b. Privacy/Compliance
          c. Information Technology
          d. Security
          e. Human Resources
          f. Communications/Media Relations
15.  Do you envision any challenges promptly convening a multi-departmental Security Breach Response team in the event of a security breach incident? If so, what are those challenges?
16.  Is there a privacy awareness and training program at your organization relating to personal information? If so, does the program address security breaches involving personal information, including instructions to staff regarding to whom to report security breach incidents?
17.  Does your organization currently have any policies or procedures that relate to detecting and responding to security incidents or breaches of personal information?
18.  Does your organization have a cybersecurity incident response plan (which may be designed to detect IT network intrusions or other hacking incidents, regardless of whether they implicate personal information or not)?

Prior Incidents

19.  Has your organization experienced any security breaches involving personal information?
20.  Was notification provided to affected individuals? To state agencies/law enforcement authorities?
21.  Has your organization developed a template breach notification letter for individuals?
22.  Has your organization developed a template breach notification letter to state agencies or other regulatory bodies (such as HHS for HIPAA covered entities)?


23.  Are data security breaches covered by your organization’s insurance policy?
24.  Does your organization have contacts with local law enforcement authorities?
25.  Do you maintain contact information for state and federal law enforcement authorities, particularly for those enforcement authorities experienced with identity theft issues and/or with cybercrime responsibilities?
26.  Does your organization maintain contact information for consumer reporting agencies?
27.  Do you have contacts with, or pre-breach contractual arrangements with any credit monitoring service providers?
28.  Do you utilize or have contacts with public relations firms with experience assisting companies with data breach incidents?
29.  Do you utilize or have contacts with forensic investigation firms with experience assisting companies with data breach incidents?
30.  Do you utilize or have contacts for law firms and lawyers with experience handling and counseling companies regarding data breach incidents?
31.  Do you have sufficient internal capabilities to handle communications to individuals (e.g., if you hold personal information on a larger number of individuals, are you able to engage in large-scale mailings, set up a calling hotline, and handle large numbers of calls with customer service reps)? If not, do you have contacts with services that can perform those functions?

Next Steps: Developing the Plan

You can use the completed Questionnaire to develop a plan for how your organization will handle a potential data security incident. Components of the plan can track these elements, although you will want to tailor to the needs of your organization:

Response team members and Contact Information:

Procedures for analyzing and containing a potential data security breach:

Plan for notifying affected individuals:

Remediation measures to be taken following a data security breach:

External resources:

  • Legal (e.g. resource to research applicable state laws):
  • Communications
  • IT security/Forensics

Credit bureau information:

Insurance information (if any):

Perhaps as importantly, you can use the completed Questionnaire to take steps now to lessen the likelihood of a security breach. Identify technical, procedural or policy changes that, taken now, will reduce risk; prioritize these measures and incorporate actions as appropriate in the organization’s operations.

The information in this presentation was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. You should not take, or refrain from taking action based on its content.  We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, this presentation cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances.