A Cyber Breach Contingency Plan is Not Just the CIO's Responsibility - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
02:00 PM
Connect Directly

A Cyber Breach Contingency Plan is Not Just the CIO's Responsibility

Ask any CIO and they'll likely tell you one of their greatest fears is a data breach, and rightfully so. Having a plan in place for when the worst does happen and knowing there's a team of people to back you up should relieve some of the anxiety.

On March 22, CBS News reported that the City of Atlanta was hit with a ransomware attack. Four days later, some city applications were still down. The New York Times called the incident, “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”

When a governmental entity experiences a cyber attack, an entire city or state can come to a grinding halt, but having a contingency plan in place can prevent a breach from going from bad to worse.

“The interruption of governmental systems is so detrimental to not only the economy but the citizens of the United States. I think [a cyber threat] is something that state, county, and local governments need to not only pay attention to but be proactive in addressing,” says Stewart Roll, principal at Climaco, Lefkowitz, Peca, Wilcox & Garofoli Co., LPA.

Roll, who will be presenting Cyberattacks and Cybertheft: Legal Obligations and Mitigation Strategies at IT industry event, Interop ITX, this spring, says, “Every governmental entity should take an active role in creating a contingency plan to address what happens when and if an attack occurs, and what things should be done to prevent that attack from doing damage to data that should be kept private.”

If you’re an IT manager or CIO and believe building a cyber breach action plan and responding to a cyber attack is all on your shoulders, don’t fret, because it's not true.

Image: Shutterstock
Image: Shutterstock

In order to create an effective contingency plan, Roll says, your first step should be to get leadership involved. “The leader of the entity has to be aware of cybersecurity issues and has to mandate what the CIO or other people in charge of sensitive data need to do to protect the data.”

Next, Roll says to make sure you have a lawyer involved, so you’re crossing all T’s and dotting all I’s. “The CIO’s job, in my mind, would include having the organization’s lawyer involved in the process so that the lawyer can appropriately advise the CEO [or leadership] of the entity.”

If there’s no in-house legal team, Roll says he believes it’s necessary and appropriate for a CIO to speak with their CEO about the appropriateness of hiring legal counsel to help build that contingency plan.

Another aspect of managing cyberattack damage is to think through the ways you can limit liability. “One of the things lawyers can do for their IT people is [to] prepare terms and conditions that require the user of the governmental system to agree to in connection with the use of that system,” says Roll.

Those conditions can address issues like the lack of liability unless there’s gross negligence on the part of the governmental entity, no liability if the governmental entity applies with the governmental law, and no liability if the user gives out their password and allows a person to access the data in question, says Roll.  

Liability isn’t just on the plate of IT department or the governmental entity. Roll says that when IT managers and CIOs buy software, they can require the vendor of that software to provide appropriate contractual protections and indemnification for the governmental entity.

Stewart Roll
Stewart Roll

Lastly, Roll urges IT to work with their purchasing departments to buy insurance in case claims are made against their entity for not following regulations in their particular state. While holes do exist in the insurance offered today, Roll says he'll address how those holes might be addressed during his presentation at Interop ITX.

Once an attack occurs, Roll says there are a lot of resources out there to help IT figure out the issue.  

Roll suggests disaster preparedness training, which is offered by the Department of Homeland Security (DHS). “DHS, they’re there to help, it really does apply here. The computer emergency readiness team (US-CERT) set up by DHS is obligated by law to help people that are subject to attacks,” says Roll.

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll