An emerging concept known as accelerated breach response aims to improve how organizations react to such incidents. What are the hallmarks of the new approach? Attorney Ellen Giblin offers insights.
The term describes an organization's capability for employees at all levels to recognize a breach and to know exactly where and how to report that incident, so that appropriate response can be initiated swiftly, says Giblin, who is privacy counsel for the Ashcroft Law Firm, based in Boston.
"How an organization would get there would be to take the stakeholders and see who's going to be involved in the types of responses," Giblin says in an interview with Information Security Media Group [transcript below].
With accelerated breach response, organizations should pre-determine who will be responsible for which type of incident, be it paper breaches, lost or stolen mobile devices or cyber-attacks, Giblin says.
Then there needs to be a system in place so that employees within an organization can report a breach once they see it, the attorney explains. That information would then go to a designated individual within an organization, such as the legal department.
Once the incident is reviewed, it can be escalated and handled promptly, Giblin says.
"[We should be] training everybody up front on all the different types of breaches so that we'll know how to respond when they come in," she says. "[Then] you're able to contain the event, contain the point of entry and start to be able to assess your damages and how you're going to report and notify to consumers in the most expedient manner possible."
In an interview about accelerated breach response, Giblin discusses:
- What's wrong with traditional breach response;
- Tools, skills and partnerships necessary for improvement;
- How to ensure accelerated response.
Giblin is internationally recognized for her years of legal and risk management expertise in privacy, data breach, data protection, cybersecurity and information management. As privacy counsel for the Ashcroft Law Firm, she assists clients by advising them on how to prevent and respond to a breach of their systems through the entire protected information lifecycle.
Prior to joining Ashcroft, she served as privacy counsel at Littler Mendelson, a large international labor and employment firm. Earlier in her career, she supported RBS Americas as a senior risk manager and privacy officer for Citizens Financial Group, where she focused on consumer and commercial lines of business.
TOM FIELD: To start out, could you tell me us a little bit about yourself and your work in breach response, please?
ELLEN GIBLIN: I began my career at Iron Mountain working as an incident and data breach manager for the legal department. I was negotiating the business associate agreements and doing some of the compliance work. Then, when the business associate agreements started being negotiated more heavily around my ability and indemnification, I started to also look at the requirements for notification and what the plan would be if there was an incident and how we would respond to it. I worked with a group that we put in place to begin responding to incidents, even though at that time under HIPAA they were not required under just the privacy rule. We were working under the contractual obligations for breach response.
Gaps in Traditional Breach Response
FIELD: I'm fascinated by the topic of breach response, and before we get to the accelerated concept, give me some insight please. Where do you find that organizations are typically missing the mark when it comes to traditional breach response?
GIBLIN: I think the first issue is, for a company to get to the next level of breach response to where it's accelerated, you need to have a plan in place, and I'm still finding that, even with the largest financial institutions, there's a great disparity company to company. For example, in the financial industry, they're getting more serious about cybersecurity, and you're talking about cybersecurity, yet when you ask for their breach response plan it actually doesn't reach down to all of the workforce, where anyone in the workforce who sees an incident, anomaly, insider threat, social engineering or an attempt by someone to come into the system or onto the property, there's no way for them to interface and escalate their concerns right to the breach response team. A lot of the times it goes to a manager and then it can get lost or it goes to a complaint to HR and it can get put through a different process. The issue really needs to be, how can your entire workforce go to a portal or website, even if it's paper, and fill out an intake survey and report an incident right away and have that escalated immediately?
Accelerated Breach Response
FIELD: That gives us a good transition to this concept of accelerated breach response. It's something that you've spoken about a great deal. Define the concept for us please.
GIBLIN: As I mentioned, my experience began at Iron Mountain. When you're moving the world's information, there's a lot of density of incidents that occur, and you're able to train more easily on those incidents because of the number of incidents that can happen. But when you're in another company that may not have movement of information as their main core business, you really need to get to everyone, educate and do training around what an incident looks like, how we define it, what's reportable, why you report almost everything that you think is even possibly an incident; then, where that information goes to and where it's picked up and pushed through to response. If you're catching everything at the bottom and it's being escalated to the top, then what you need is somebody who can sort through just anomalies, events and incidents, and then inadvertent disclosures up to an actual breach. When you get to the point of breach, what you're looking for there is you need to have a team in place that responds to an actual breach.
With our clients, we have an incident management system that's in the cloud. What we can do is give access to clients down into their organization, so that incidents can be escalated up and then they can be referred over to the law firm. Why that's important and why it's not an advertisement for us is that, the sooner the attorney-client privilege is put around an incident, the better. Really, the concept begins with engaging the attorney to put an attorney-client privilege around an incident so that it can be managed and dealt with openly and forthrightly between your counsel and the stakeholders in your company who should be involved, such as privacy, information security, physical security, usually business engineering to get to the root cause sometimes of why these incidents occur, and human resources as well.
FIELD: I wonder if you can give us a hypothetical example of what accelerated breach response looks like as opposed to traditional?
GIBLIN: Within a company, you would have an incident where say there was an in-house courier that was intercepted and the bag that they were transferring had paper and maybe some electronic media being transferred from, say, one bank branch to another. It's intercepted; it's stolen. What happens is that if you want that person when that happens right away to not only report the theft of the financial assets, the physical assets like the mobile devices, the financial assets being the actual money or checks that were stolen, but also the information assets, you want to make sure that the reporting is in there for that information asset breach immediately. You want to have it escalated again to an attorney so they can see the incident, they can see the complexity of it, and they can work with a team within the company to make the decisions. Because a lot of times people who practice in this area get very familiar with the incidents and they understand the nuances. There are others that the first time in looking at a breach are saying, "Oh, I'll work your information security breach for you." That's where things can get really derailed because the right thing to do is to take a look at that information and separate what's paper, what's electronic, what's encrypted and sort out, because there are states in the United States that have data breach laws. There are 46 states and territories that have data breach laws. Some of those state laws do not require reporting for paper or notification to consumers for paper breaches. If you could separate out and not over-report, that's key in saving money.
It's not only accelerated but it's also efficient breach response, so when you go into the accelerated part, you're saying, "Now we know what we have to report up." You really should have an attorney in place that has all of the laws known to them and all the nuances, and there's about three or four different risk analyses that are required for analyzing whether a breach is reportable or not, whether the risk of harm would require you to report. Having familiarity with that type of dashboard of information on how a breach is to be managed is really important. I rely on a cloud-based tool to help me out with that, to make it quicker, but I also know myself what the nuances of the law are. When it comes time for a lawyer to look at the risk of harm analysis, that's a human task and that has be done by somebody who is accomplished and trained in that task.
Then you move forward to the next steps and each one will be handled in the same manner. You don't start drafting a letter for the first time. You should have experience in knowing the nuances of each attorney general, being familiar with all the different attorney general offices, and what they're looking for in a letter, what they're not looking for, what would trigger further regulatory comment and maybe what the goal is, to get to the point where you're sending a letter that they are satisfied with, which would not trigger their ire or their desire to look more closely at your breach.
How to Ensure Accelerated Response
FIELD: You've made a good case for accelerated breach response. I guess my question for you now is: How do organizations get there?
GIBLIN: How an organization would get there would be to take the stakeholders and see who's going to be involved in each type of response. You may want to dedicate some people who are only going to handle paper breaches. Then there's somebody who specializes in mobile devices because you're going to have to deal with the device, turning it off and wiping it. Then [it's] trying to figure out if you're going to be able to retrieve it, and there's a pathway for mobile devices in their reporting. The tracking further down the line, someday you want to see if you can get that device back. There should be some specialists in each of these areas, or somebody who has that specialization and knowledge in paper, mobile devices and electronic, and then systems breach.
You have to have your relationships with your IT and information security group, fraud group and human resources in place, because you're looking at making sure that if there are e-mails that are coming in that are phishing scams or pharming, that you know how to respond to those issues in advance. It shouldn't be re-training while we're going. It should be we're training everybody up front on all these different types of breaches so that we'll know how to respond when they come in so that you're not behind responding to the incident. You're able to contain the event, contain the point of entry and start to be able to assess your damages and how you're going to report and notify to consumers in the most expedient manner possible.
I think that also requires having all the vendors in place that specialize in different types of breaches. There are vendors that specialize in HIPAA. There are vendors that specialize in the healthcare industry. There are vendors that specialize in the financial services industry. You want to make sure that you have your breach response team and your provider, and you need to know up front [if] you need further investigations. Who's your forensics vendor? How does that work? Have all of these contracts in place before you open the door and say we do breaches here, because if you're negotiating under pressure for a client, you're not going to get the best terms and conditions in an agreement. You want to make sure everything is in place. Run a few incidents as if they're real-time. Make sure that everybody responds correctly. I really have always seen this as part of business continuity and disaster recovery. Some of these cyber-attacks can be a disaster for your company. You need to make sure that you're running these incidents as if it was an event under those plans.
Necessary Tools and Skills
FIELD: The question organizations are going to have is: What are the tools and skills necessarily for me internally in my organization so I can be prepared to make this move to accelerated breach response?
GIBLIN: I think the first tool is your reporting tool. How's that going to be rolled out to your colleagues and members within your company? Actually scope out: Are you going to be trying to catch incidents in other countries? I think that's a very good idea. If you're doing it all at once, make sure you have everybody supplied with a reporting tool that reflects the type of breach that would occur in each country and have a way to escalate that to a central repository and central person who can then manage the incident response when it comes in and where it goes to. Also, for those that are deemed true incidents that need to be examined by an attorney, escalate them to an attorney right away. You need a really good relationship with your attorney. You need a law firm that's really dedicated to being on 24/7 and accepting escalations, and all of your partners have to be willing to accept escalations 24/7. That's a deep relationship and it's one that should be scoped out in advance, run through and tested before you rely on it.
Making the Transition
FIELD: I've got a final question for you. What advice would you offer to organizations to A) assess their own state of breach response now to see where they are in the continuum to accelerate it, and B) where do they begin this shift toward the accelerated mode? How do we assess where we are? How do we move forward? What's your advice?
GIBLIN: I think the first question is, who's doing it now? Who's managing these incidents for us now? Interview that person and see what they're job description is, who they report to and ask them, "How do you manage these? What are you doing now? What are your pain points? What do you think can be made more efficient? What do you think is good about what you're doing and what do you think is bad? What kinds of training do you need going forward and what training do you have that has been helpful?"
It usually does fall on one person and it should fall on a team. Find them and ask them what they have and what they need, and move forward from there to up the chain on who's receiving notices of incidents. You don't want to over-notify the C-suite. But you want to escalate the lost media tapes, the big cyber-attacks, up to the C-Suite, because we all know with cyber-attacks, under the SEC, you need to be reporting what your risks are. ... A really great tool would be a map of how the incidents are escalated, whose notified and who may be left out of the loop that needs to be brought in the loop. Maybe [it's] regulatory risk, legal, human resources, fraud, physical security, as well as information security and technology as well.