From Books and Records to Bits and Bytes
Data breaches are a very real threat for today’s companies. Over the past year alone, there have been more than 53,000 globally reported incidents, with 2,216 confirmed data breaches across all sectors of industry and government, according to Verizon’s 2018 Data Breach Investigation Report. Companies need to be ready for prompt, thorough, and coordinated actions, supported by a carefully crafted incident response plan (IRP).
“The question your organization should be asking is not whether you need an IRP. The question you need to be asking is: What should be in it?” says Colleen M. Yushchak, director, global legal technology solutions, cybersecurity practice at Navigant Consulting, Inc.
1. Make sure you quickly gather sufficient information about the breach — before you start sharing information publicly.
“One of the biggest mistakes we see companies make,” says Laura Nielsen, director of global legal technology solutions at Navigant, “is taking disjointed actions, such as sharing uncoordinated information with the media, or failing to involve all of the key stakeholders from the beginning.” Depending on the region, Nielsen notes, companies will want immediate access to their insurer, their forensic data team, and legal support.
“Typically, companies will contact us when they know something has occurred, but they may not yet know the full extent of the breach,” explains Nielsen, whose data analytics team specializes in determining the full breadth and scope of exposure. “We look at a large volume of data and use proprietary scripts and analytic logic to identify protected health information (PHI) or personally identifiable information (PII), which triggers various types of required reporting.”
Tanya Gross, managing director of global legal technology solutions at Navigant, urges companies to consider whether they should bring in an independent specialist at this stage of a data breach investigation. “Your local IT team may be the comfortable option. However, an experienced breach team can significantly reduce your exposure, ensure that chain of custody and other important aspects of any forensic investigation are maintained, while restoring service to you and your customers and help calm and coordinate your legal, insurance, and media support teams during high-pressure situations,” says Gross.
A clear understanding of which systems contain what types of information, also known as data mapping, is a prerequisite to successfully responding to an incident. It is best to do this proactively — ideally before a crisis. Which systems contain PII or PHI? Which systems contain data that is considered personal for European Union residents, and can be any identifiable information about a person, such as their job title, workplace, IP address, or other information?
“Where certain types of data reside matters because it enables you to know promptly what information has been viewed, accessed, or acquired inappropriately,” Yushchak says. “If the server that has been accessed doesn’t contain any personal information, the incident may not be reportable — even if it is concerning to the company.”
This is particularly important for companies servicing customers within the EU, given that new privacy regulations, the General Data Protection Regulation (GDPR), became effective May 25, 2018. Until GDPR, notification in Europe after a breach scenario had been relaxed, particularly in the UK, where there was no legal obligation to report breaches of security under the Data Protection Act, although many still chose to report them.
“Reporting a breach is now mandatory under GDPR, so it’s crucial to understand where data resides, as the fines can be significant — 4% of annual turnover or 20 million euros, whichever is greater,” explains Gross.
Knowing what is in the data, and a prompt review of what data was exposed in the case of an actual event, enables companies to know if notification is needed, and how to prepare for discussions with state attorneys general and other state and federal regulators, such as the U.S. Office of Civil Rights or the Department of Health & Human Services, based on the relevant criteria and laws.
Ideally, companies already have a clearly documented plan and a timeline for the full range of their notification obligations in place as part of their IRP. Failure to have a timeline for notifications ready, as well as any delays in involving the right stakeholders and data experts, can expose them to the risk of missing a reporting deadline.
Current notification expectations differ based on the type of incident, where the business and/or its customers are located, and the industry involved, but privacy expectations and notifications are growing more stringent. The GDPR requirements are far-reaching, affecting companies in the U.S. and globally that process data for EU residents or that process data in the EU. Companies have 72 hours to report if there has been a breach of personal data affecting EU residents, among other expectations.
Different U.S. states have varying expectations for reporting, notes Yushchak, such as the New York State Department of Financial Services’ new rules, which went into effect March 1, 2017, requiring companies to have an IRP, a chief information security officer, and to conduct penetration testing.
“Be ready for the public and regulatory scrutiny of otherwise internal business processes, such as risk management, treatment, and corporate decision-making in relation to your information security management system,” Gross cautions.
While the breach itself may incur serious fines, an often-unintended result of mandatory public reporting is the airing of the internal workings of an organization, which can tarnish the brand and the individuals involved. “By contrast, good cyber hygiene can help ensure the resilience of your brand, even in cases where a breach was not preventable,” says Gross.
The IRP should clearly lay out the organizational structure for the various roles, including reporting relationships, scope of responsibilities, timing, and decision-making. Keep in mind that the leader of the appropriate line of business should be included as a member of the information response team.
A good IRP should also consider how the leadership team will continue to communicate in the event of a crisis, since the loss of the leadership team’s ability to operate can exacerbate a crisis and worsen an already bad situation. For example, during a hack of Saudi Aramco in 2012, all of the company’s communications and office equipment was impacted for an extended period of time, forcing the company to use typewriters and fax machines for critical communication. The testing of the plan should identify needs for alternative communications capabilities, such as contracts with an alternative telecommunications provider, emergency phones for company executives, and a cloud-based email system, to be used only in crisis situations.
“One of the most important actions companies need to take in the event of an incident is to quickly identify how their systems were compromised so that they can put in place any necessary measures to prevent further attacks,” says Nielsen.
Yushchak agrees. “Understanding your system’s vulnerabilities, how a cyber attacker might access and exploit them, and having a plan that includes classification, severity, and prioritization for how to respond is a critical part of an effective IRP,” she says. “It’s useful to think like a cyber intruder when creating these scenarios.”
It’s also critical to practice the IRP — ideally, well before it is needed — to ensure people know what to do, and identify any gaps, advises Yushchak.
Gone are the days when security was the domain of an IT guy locked away in the basement. Establishing a secure culture should be publicly sponsored at board level and be the heart of every good security program. In today’s digital businesses, everyone from the CEO down to the clerk in the mailroom has a role to play in keeping the company secure.
Companies that have already experienced an incident without a coherent IRP in place have learned the hard way about the many risks, such as missed reporting deadlines, public relations debacles, fines, and sanctions from regulators, lawsuits, and more.
Those companies that don’t have a well-crafted IRP, reinforced by regular practice and testing, are courting disaster. It’s time to get started.
Data and AnalyticsLondon: +44 20 7015 8803 Hong Kong: +852 2233 2511