Dealing with a Data Breach: Tips from the Trenches
Thorough documentation and clear communication can make dealing with a data breach a little less painful.
Companies and government agencies use a variety of technologies to protect their networks from unwanted intrusions. The attacks themselves are continuing to escalate in number and complexity, so it’s important to know how to respond when an incident occurs.
"The biggest issue is to make sure that everyone on your team is talking the same language," Ricardo Lafosse, chief information security officer for Cook County Government told the audience at the recent SC Congress event in Chicago.
Part of that for Cook County Government is knowing the level of the attack. It uses a response for an "incident," an escalated response for multiple incidents, which Lafosse calls an event, and a still higher response for an actual breach.
Jacob Springer, division counsel, global privacy office for Abbott Laboratories, suggested developing a baseline of security defenses by looking at peers in the same industry. He also recommended following a detailed script for any type of security issue. Without a detailed, planned response there is likely to be a communication breakdown.
Documentation and Communication
"People think they communicate well, but they don’t," Springer said. "You need to put a plan together that is very detailed, with what people do at what time. The more specific you are, the less time you lose in responding. If you don’t define people’s responsibilities, it will take a long time to respond one way or another. Everything that you can do to reduce downtime is money in the bank."
Springer also recommended that companies document their defenses and any responses to incidents, including preferred forensic data security and other security vendors to contact when warranted. Email documentation isn’t enough, he cautioned. The company needs to have confidential documentation, including an outside counsel’s approved summary of the company’s response to any breach.
William Cook, partner with McGuireWoods LLP, said security response information needs to be communicated not only to the security team, but also to legal and to executives, so that everyone understands when an attack or breach legally requires notifications to customers and others outside of the company. Failing to make those notifications as required can cost a company in fines and in reputation.
Cook also stressed the importance of the legal department explaining to executives the notifications required by different legal entities. There are 47 different state laws requiring notification, as well as FTC rules to understand, he said.
He recommended working with inside and outside counsel in the event of a breach to ensure that the company follows proper protocols. However, he advised keeping as much detail as possible in-house so that it doesn’t lead to future litigation. Inside counsel should discuss any breach with all parties within the company so that anything said comes under attorney-client privilege and "unwise" comments don’t go out to the public.
For example, Cook related a discussion with a company’s new chief information security officer who said the firm’s security "was like a screen door on a submarine." Cook said he asked the officer to repeat the statement to make sure he heard it correctly, then told the officer never to repeat it.
"You can look good or bad," Cook explained. "You don’t want to send out the wrong kind of information."
Incident Response and Notification
He also advised communicating security protocols to the public relations staff so it can prepare proper messaging regarding the company’s efforts in the event of an actual breach. The public relations staff should be put on notice immediately upon the discovery of a breach, he added.
"You need to have your security guidelines in place. You need to have an incident response team in place," Cook said. "There will be a lot of press when there is a security event."
If the proper notifications aren’t released in a timely manner, the press, legal authorities and perhaps the Federal Trade Commission (depending on the nature of the breach) will all be hard on a company, Cook warned.
Timely notification is more important than the technology employed to fight threats, Cook added. "Some companies are worrying too much about new bad stuff. As they’ve shown in the Target case, judges don’t ask about having state-of-the-art security. They care more about your record and how you respond along the way."
With attacks evolving continuously, state-of-the art defenses aren’t always possible, Lafosse agreed. "You have only a finite number of resources. There are always new tools."
More important than having the newest tools is taking reasonable, proactive steps to monitor the network for evidence of attacks and attempting to respond before an intrusion becomes successful, Lafosse and Cook agreed.
"Judges are upset when they see that legal and HR are not responding to red flags that are going off in their own arsenal of security systems," Cook said. "You need to show that you are organized and that you approach security in a logical way."
For more advice on how to handle a data breach, check out suggestions from attorneys Thomas Zeno and Lindsay Holmes on Baseline, tips from information security expert David Barton on CIO Insight and three do's and two don'ts for dealing with a data breach on eSecurity Planet.
Phillip J. Britt writes for a number of technology, financial services and business websites and publications, including BAI, Telephony, Connected Planet, Savings Institutions, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.
By Jeff Goldman
October 24, 2014
Those affected were notified two weeks after the breach was discovered.