Cybersecurity Lawyer — Beyond Tabletop Exercises: Running a Data Breach Drill


You spent valuable time and resources crafting a cybersecurity breach action plan. You’ve assembled a multidisciplinary response team. You’ve identified who is responsible for what, and what decision-tree will go into effect. The plan has been circulated. You’ve even engaged a separate law firm that will be on call in the event of a breach. You’ve done the same with a PR firm, a private investigator and data breach hit squad.

But if the action plan stays put on a shelf, it isn’t really of much value. Smart companies run a tabletop exercise, where first responders sit at a conference table and run through what will happen in the event of a breach. But really smart companies do something more – they take their efforts out of the conference room and into the real world. Breaches involve stress, panic and urgency. It’s not the time to be opening a binder and flipping through tabs for instructions. All those with responsibility for securing the breach need to be battle tested.

Just as fire drills are mandated safety requirements, breach drills should be mandatory training for your team. These exercises bring to light the weaknesses, if any, inherent in your breach response plan. These drills take a good plan and refine it into a great plan.

The key to testing the plan is making your drill as realistic as possible. Notify responders there will be a drill, but not when it will happen. Then, perhaps on a weekend, unleash a hypothetical and set things in motion. Designate several observers to follow the drill to see how closely actions hew to the plan. Document what went right and what went wrong so adjustments can be made later.

Let’s say a single engineer in IT discovers the breach. Notify them this is a simulation. She or he passes that information through the chain of command as the response is triggered. Carry the exercise through the C-level executives involved. Have every participant make the phone calls they would in a real crisis and assemble key players in the war room designated ahead of time. From there, as your plan instructs, notify legal, investor relations, human resources, company security, and all other relevant departments. Contact outside professionals on call such as your legal counsel, public relations firm and other responders. Contact appropriate board members and law enforcement as necessary. Engage your call center to properly handle incoming inquiries.

Then, ensure all individuals play their role fully. Legal should work with PR to draft a statement. That needs to be reviewed and disseminated. C-level executives need to approve all actions and ensure every step is taken as planned. The exercise may run more than just a few hours, as those running the drill introduce wrinkles and ripple effects to the initial hypothetical.

This can be a difficult and exhausting process, but it is invaluable.  Just as important, however, is the post-test analysis.  Gather your team shortly after the drill to debrief. What worked? What didn’t? Where was valuable time lost? Did responders have the mobile numbers they needed? Was communication covered by attorney-client privilege as extensively as it should have been? What was the response time of your chosen outside counsel and public relations team? Were those professionals prepared? Did the company’s initial statement of the breach ring true? What about follow-on communications? How well did IT interface with other departments?

Use this information to fine-tune your breach response plan. This data will also show where additional training may be needed. Conduct that training as soon as possible, while the drill is still top of mind. Then, several weeks later, run a second surprise drill. Unleash a hypothetical that varies enough from the initial drill to truly test your team. Monitor and record your team’s response. The hiccups from the first drill should be remedied by this point. If not, review the plan to make sure it’s truly workable. Sometimes plans appear well crafted, but if they don’t take into account the human factor and how people really behave the plan likely needs revision.

Debrief your second drill in much the same way you reviewed the first. By this time, your response team should have gained the confidence that they know what to do in the event of a real crisis.

These drills are invaluable in several ways. They show regulators, your insurers, customers and employees that you take data security seriously. They can become an important element in your post-breach narrative as you share how much work the company put in to prepare and quickly respond to a breach. Evidence shows that the faster a company responds to a breach, the less expensive it is, not just financially, but also in terms of reputation, brand, damage to customer base, etc. Any defense, whether in sports or armed conflict, is not truly a defense until it is put into practice. Embed cybersecurity breach response into the muscle memory of your first responders, and your company will fare far better for it.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.