A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.

This part discusses what employers can do to practice for a data breach before one occurs.

There is no replacement for training and experience when handling a data breach. In order to gain experience without having to wait for a breach to occur, many employers try to anticipate real-life situations that might arise and practice how they would respond.  There are generally two formats for practicing for a data breach: tabletop exercises and breach simulations.  The following provides a high level summary of the differences.

  •  Tabletop Exercises.  Although a tabletop exercise may take many different forms, it typically involves an experienced moderator (e.g., an attorney who focuses on data security breaches) who walks senior management through a data breach scenario and facilitates a discussion concerning how management would likely respond.  Tabletop exercises can last anywhere from a couple of hours to a full day.  Some provide multiple scenarios that are presented as vignettes.  Others try to simulate a real-life breach by providing multiple injections of factual information concerning a single breach throughout the day that approximates the type of information that a company might learn over the course of several weeks or months.  Regardless of the format, the goal in almost all tabletop exercises is to expose management to the types of issues that might arise in a data breach and to help management understand the strategic decision points that they may confront.
  • Breach Simulations.   Breach simulations are designed to test the ability of an organization to respond to a data breach. For example, a breach simulation of ransomware on an employee’s computer would test how quickly the information technology department is able to isolate an employee’s computer, whether they are able to restore the employee’s files from back-ups, and whether they are able to investigate if data loss has occurred. This simulation would also test whether management is prepared to make strategic decisions (e.g., does the organization pay extortionists, or does it not?). It also might test how HR handles questions that come in from employees, and whether HR is prepared to communicate with employees who may have been impacted by the incident.

TIP: When planning a tabletop exercise or a breach simulation, it is important to make sure that the person, or entity, that is conducting the exercise has knowledge and experience concerning the range of issues that arise in a data breach. Be careful not to select a moderator who may only have a narrow view of how a breach works or the issues that it may create. For example, while a forensic investigator may be able to design a realistic IT-scenario, they may not fully understand the public relations, legal, and business issues that arise during a breach. Similarly, while a public relations consultant is likely to anticipate the PR-impact of a breach, they may lack experience with the legal, business, and contractual impact.