Why Prepare?

The average total organizational cost of a data breach in the United States in 2015 was $6.8 million.[1] In 2016 alone, over 3,000 publicly disclosed data breaches have occurred so far, representing more than 2.2 billion compromised records.[2]  In addition to the upfront expenses, the damage to an organization’s reputation and goodwill can be immense and long-lasting, potentially presenting an existential risk to its future. In the notable case of the data breach at Ashley Madison, hackers exposed spousal infidelity that prompted a $567 million class action lawsuit,[3] demonstrating the potentially devastating impacts of a malicious intrusion.

In the absence of a plan, the immediate hours after a breach is detected are often marked by confusion and panic. The time to craft a response is not when a company first realizes its security has been compromised; by that time, it may already be too late to adequately react. By developing a “living will” in advance that maps out the procedures and steps to take, and stands ready to implement in the event of a breach, the chances of mounting an effective response effort can be substantially improved.

Designate First Responders and Take Preventative Action

The first step to creating a data breach living will is to set a clear path forward by designating an internal team of first responders with clearly delineated roles and responsibilities. These individuals will be responsible for drafting and maintaining the living will and, in the event of a breach, implementing it. When and if a breach occurs, this team will spring into action to assess the gravity of the breach, gather the financial and logistical resources necessary to respond, and act as a central point of communication and coordination between executive management and boots-on-the-ground responders.

The best type of data breach is the one that never happens, so the next step is to roll out preventative policies and measures to reduce the likelihood that a breach will occur. Employee access to critical and sensitive enterprise data should be restricted to only those who need it. Strong passwords should be mandatory, and encryption and firewalls should be implemented wherever practical. By investing time and resources into protective measures, such as data security and anti-malware software, and by training employees on secure information practices, the risk of a breach can be significantly reduced, and the chances of quickly detecting a breach improved.

Plug the Hole

In the unfortunate event that a breach occurs, critical actions should be set into motion within minutes or hours, not days. The first priorities should be to assess the scope of the breach, to immediately stop any ongoing data loss, and to preserve evidence and documentation about the breach. Internal IT personnel should be mobilized to determine the cause of the breach and to take quick steps to halt further damage or loss of information. The particulars of how and when the breach was discovered should be recorded. Law enforcement agencies should be notified if the breach was the result of a hacking, theft, or other crime, or if legal requirements mandate government notification.

Call in Expert Help

Although the internal first response team should spearhead the effort at its outset, depending on the gravity of the breach, it may be necessary to enlist outside assistance to expand the footprint of the response. Companies should establish relationships with law firms, information technology specialists, forensics experts, and other professionals.

  • Legal counsel can advise on the legal requirements for notification of customers, government agencies and law enforcement, and any other relevant stakeholders. Standards for breach notification and civil legal liability vary among states,[4] and effective counsel can help clarify the legal and regulatory mandates relevant to the particulars of the breach.
  • Forensics experts and IT specialists can help identify the affected customers and the extent of the data loss so legal counsel can recommend the necessary disclosure and remediation steps to take.
  • A public relations firm can help manage and protect the company’s image under media scrutiny. Companies offering dedicated data breach resolution services can provide call centers and identity theft protection for affected customers, and should ideally be hired before the breach occurs to obtain the most cost-effective rates.
  • Insurance companies offer policies that can help cover the financial burden of the response effort.

 

Notify, Remediate, and Support

Once the immediate breach emergency is under control, the next steps should be to manage the short-term and mid-term impacts of the breach and determine appropriate disclosure actions.

Disclosure requirements vary by state, and often mandate that specific information and services be provided to affected parties. Depending on where the breach occurred and where the affected customers reside, a patchwork of state legal requirements must be considered when deciding on the necessary action. For example, Connecticut residents affected by a breach must be offered 1 year of free identity theft protection and mitigation services.[5]  California requires a disclosure submission to the State Attorney General when more than 500 California residents are notified as a result of a single breach.[6]

Disclosure may be unnecessary if it can be determined by IT specialists and forensics experts that personally identifying information (e.g., name, credit card or account number, driver’s license number, SSN, etc.) has not been compromised. Even when personal data is stolen, if it is encrypted, it may be unreadable to hackers. Most states, with the notable exceptions of California and Tennessee, offer some form of an encryption safe harbor that suspends notification requirements when the lost information had been encrypted, redacted, or anonymized.[7] By adding encryption to the most important files in company systems, the negative reputational and legal impact of the breach can be dramatically reduced.

If public disclosure is warranted by either a legal requirement or prudential considerations, a carefully written press release should be drafted to let the media know of the breach while reassuring the public that a transparent and effective response is underway and that help will be available to affected customers. Customers should be informed that their account numbers and passwords will be changed, and that they will not be held responsible for fraudulent or unauthorized charges. Often, it is appropriate to offer identity theft protection services to affected customers, and doing so can go a long way towards minimizing the damage and preserving the company’s goodwill among its customers.

Update, Stress-Test, and Defend

Although the current breach may be over, systems will need to be fortified and improved so that a similar incident is less likely to occur in the future. The results of IT and forensics investigations can be used to determine necessary steps to harden systems and tighten procedures. Data access controls should be reviewed and security measures stress-tested, potentially by enlisting friendly hackers to attempt a mock breach, known as a penetration test, to identify and close gaps in security.

Whenever a breach occurs, potential litigation is always a concern. The documentation of the response effort and the mitigating steps already taken can greatly reduce the harmful impacts to third parties, shrinking the potential civil liability of the company and minimizing accusations of negligence. Often, a settlement of claims can be far more beneficial to company interests than a protracted legal battle that prolongs the public awareness of the breach and continues to erode the organization’s reputation.

Finally, an effective response plan is not a static document. Technology, law, and best practices are in a continuous state of evolution, and a company’s response plan must be regularly audited and improved, at least annually, to maintain its effectiveness. Employee training programs and a periodic review of outside vendors and information assets can ensure that the response plan remains adequate to the threat, today and into the future.

Get Back to Business

The ultimate goal of an effective response plan is to put data breaches in the rearview mirror so that the company can get back to business. By maintaining a “living will” that incorporates these guidelines, enterprises can set aside the daily stresses and worries associated with potential security breaches and instead focus on what they do best: growing their business and serving their customers and communities.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute

[2] These were the biggest hacks, leaks and data breaches of 2016. Zack Whittaker, ZDNet, Nov 11, 2016

Biggest data breaches in history, Dave Albaugh, comparitech, Retrieved July 24, 2017.

[3]  Ashley Madison faces huge class-action lawsuitBBC News, August 23, 2015

[4] Security Breach Notification Laws. National Conference of State Legislatures.

[5] New Connecticut Law Requires Businesses Offer Identity Theft Protection Services After a Data Breach., Joseph J. Lazzarotti, Jackson Lewis, June 17, 2015

[6] “Data Breach Charts.” Baker Hostetler. Retrieved 24 August 2016.

[7] Id.

Author: Frank Fazzio, IGP, CRM

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney