Leaders Come Together for Incident Response Planning Practical Tips and Takeaways

July 06, 2023

Leaders Come Together for Incident Response Planning Practical Tips and Takeaways

By David S. Cochran, Director, Partner Alliances

Understanding the importance of a comprehensive and decisive timely response to a data breach can mean saving a company’s confidential data and millions of dollars. The two most important leaders within an organization to address this are the Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO). Taking a collaborative approach and creating a proactive action plan will lead to a seamless implementation in the event of a dreaded incident.


The following tips and takeaways will help all involved reduce the unknown challenges that may await.


The most important component of a plan is to create a cohesive team well before an incident. The team should be jointly led by the CPO and CISO and include key internal stakeholders, such as IT, business unit leaders, legal, procurement and marketing. External stakeholders could include outside counsel and breach insurance providers.

The plan should include:

  • A detailed playbook
  • Roles and responsibilities of each team member
  • An outline of who does what and when
  • Collaborative actions to break down silos
  • “Road maps” of procedures to follow
  • Detailed reporting


Once a plan is complete, conduct routine “table-top” discussions to review and update it to make sure it is ready. Also speak to peers in other organizations that have dealt with this type of planning and incorporate their best practices. Attend conferences such as IAPP for more creative ideas and approaches.

Once the plan is complete, it should be published broadly to educate others in the business, limit surprises and prompt everyone to act quickly in the event of an incident.

Playbook Development

Your playbook is where you develop more detailed actions to take during a breach. Make sure the playbook makes sense and is to the point; otherwise it won’t be used.

It needs to be dynamic with a quick-review summary, followed by more specific action items which will need to be undertaken, such as:

  • Defining who is in charge of each phase
  • Particular work assignments
  • A step-by-step accounting of who does what and when
  • Workflow and process charts
  • Reporting procedures
  • Financial tracking
  • Third-party vendors available to assist

Communication and notification procedures are very important for the playbook. The company may have specific communication policies for who does it and when, so the team needs to be on the same page and consistent about implementing all reporting responsibilities. Don’t forget about:

  • Customers
  • Employees
  • Regulators (US, EU and others)
  • Vendors

The Role of Contracts

Although they are not top of mind when there is an incident, contracts play a major role on the implications of dealing with and resolving an incident. Early planning and a focused effort on ensuring customer and vendor agreements address privacy are very important.

The company’s agreements with vendors play an important role too. Procurement and legal must ensure the company’s terms on privacy, breach, etc., are included within all vendor agreements. The language should be reviewed to be consistent with the company’s policies, including those for cyber and privacy.

Third-Party Vendors

Third-party vendors can include those that provide products and services to the company and those that can assist when an incident occurs. Both have an important part in the outcome.

For the vendors providing products and services:

  • Make sure they have privacy and cyber plans in place that are consistent with the company’s policies.
  • Evaluate and monitor their plans on a yearly basis at a minimum.

Create a list and conduct due diligence on vendors that could help in the event of an incident such as:

  • Incident response experts
  • Breach software for reviewing data that may have been compromised
  • Managed review providers that can quickly ramp up a team to review the compromised data

Work with your insurance carrier and outside counsel on both categories of vendors since they should have experience in these areas and can offer guidance.


Finally, don’t forget about education. There needs to be proactive messaging on what the CPO and CISO, working together, can do to help the overall company. Presentations, webinars and online testing are a few tools that can be used. And be sure to include key outside vendors if they work closely with the company. They need to be aware and accountable.

If there is an incident, debrief afterward to see what worked, what didn’t and how the plan and playbook should be revised in order to be ready the next time!

◀ Back to Blog Listing