Data Breach Response: Tips to Protect Your InstitutionTranscript of an Interview with Rebecca Herold, Security Expert Editor's Note: Privacy breaches are a constant risk -- not just at our own institutions, but also at our third-party service providers to whom we entrust core business and data. Editor Tom Field recently caught up with privacy expert Rebecca Herold to discuss data breach response strategies.
TOM FIELD: Hi. This is Tom Field with Information Security Media Group. Today I am talking with privacy expert Rebecca Herold about data breaches and response plans.
Rebecca, I appreciate your taking some today.
REBECCA HEROLD: Thank you. I am happy to be speaking with you about this topic.
FIELD: I wanted to ask you just to start out regarding data breach response plans. You see a lot of these. Where do you typically see that an institution has some holes in its plan?
HEROLD: Well, first and foremost, most organizations still do not have a documented privacy breach response plan. Unfortunately, most seem to think that they can handle it ad hoc, however this belief will lead to a much higher cost to organizations because without a documented plan it will take them much longer to determine the true status of the breach.
It will take them much longer to determine the individuals whose personally identifiable information was involved with the breach, much longer to determine if the personally identifiable information was actually compromised by determining such things as whether the information was encrypted and how many records were involved. It will take them much longer to coordinate with the other areas in the organization that must be involved with the privacy response, such as the information security area, the IT area, public relations, legal and privacy offices. And it will also take them much longer to be able to effectively and accurately answer customer, consumer and news media questions about the breach.
Those few organizations that do have document response plans still typically, though, have holes in the plans as a result of two common oversights. One, not coordinating the plan with the information security incidence response plans as for no coordination a privacy breach occurs because an information security vulnerability in some way was exploited. The information security and IT areas must be involved in privacy breach response. They know and have the access to the logs, audit trails, documentation and other information that will help to have the most efficient privacy breach response possible.
And the second common oversight is not testing the plan. Just putting together what seems like a plan on paper is really not being truly prepared, and I can promise you that if the plan is not tested, there will be un-thought of gaps and problems that emerge during actual breach response that could have been prevented if the plan were tested, updated appropriately and then retested until the plan is as effective as it can be as a result of those tests.
FIELD: Well, thatâ€™s interesting because if you are seeing such fault there, I am wondering about notification plans. How many institutions have them? Who are they notifying? And where are the holes in the plans that they do have?
HEROLD: Well, right now unfortunately there is still not a lot that have fully documented and tested notification plans, and with the ones that do have them, there are some common holes within their notification response plans. A couple of the major ones include, for one, not responding appropriately to the press when asked about what the breach is, what the status is of the response and so on.
Iâ€™ve seen way too many organizations make somewhat insensitive statements that downplay the risk results and in such a way that it makes customers and consumers angry. For example, saying something like â€˜We have no evidence that the information has been used inappropriatelyâ€™ only a week or two following the breach. Information can be used for years following a breach, and most consumers know this.
Or I have often seen them say something like, â€˜We do not know who took the computer, but we believe they did not take it with the intent to use the information on the computer for a crime.â€™ You know, people read this and they say, â€˜Huh, if the company doesnâ€™t know who took the computer, how can they even speculate about the motivation for some unknown thief?â€™
So, these and many more similar statements have actually been made following breaches, and these types of statements only hurt the reputations of the organization that experienced the breach, as well as making consumers mad.
And then another, the second major hole I see, is not knowing the legal requirements for notifying the impacted individuals. There are now 40 U.S. state-level laws, including the District of Columbia, that have breach notice laws in place. They all have specific notification requirements, including how quickly notifications must be made, the information that must be included in the notifications and the delivery methods that are acceptable for the breach notices. And oftentimes organizations donâ€™t know what those requirements are.
FIELD: Rebecca, I want to take you onto another topic all together, third-party service providers. How are institutions doing in terms of involving their vendors in breach response plans and notification plans?
HEROLD: Well, organizations are starting to involve their vendors, but they still have a long way to go. Most existing vendor contracts have very few information security requirements for the vendor included within them. And most of these vendor contracts have no requirements at all for vendors to contact the organization as soon as a breach occurs within the vendor organization that could involve, you know, the other companyâ€™s information.
Just look at all the incidents that have occurred in recent years. Many were caused by vendors, or many of the breaches occurred within the outsourced vendors. For example, transport companies have lost data on storage media or had it stolen. Outsourced help desks have not validated the identity of callers and then criminals obtain the personal information of the organizationâ€™s customers as a results. Laptops of contracted consultants or auditors have been stolen and because the data was not encrypted their clientâ€™s information was compromised. Just one example of this was when a laptop was stolen last year from an Ernst & Young employeeâ€™s car, and he had all of the personal information of his clientâ€™s employees on that laptop. That client was IBM. So this impacted possibly up to 360,000 or so individuals if the laptop really did include all worldwide workers as was reported.
So, organizations must ensure their vendors understand their expectations and obligations for how to respond to security incidents and privacy breaches when they occur within the vendor. Organizations cannot leave this to chance. They need to make sure that the vendor does not leave the organization in the dark about incidents only to find out about the breach through headline news.
FIELD: Sure. Now you are going to be giving a webinar on this topic. What are going to be the big take-aways of your presentation?
HEROLD: My goal is for the attendees to have several take-aways. Probably the big take-aways include understanding the potential impacts of a privacy breach and understanding the many different types of breaches that organizations must prepare for.
I will also provide a blueprint for how to create a privacy breach response plan and include the issues that must be addressed within the plan. I will provide advice and examples for privacy breach notification. I will also provide a few handouts to the attendees to help them with their privacy breach response development and management activity.
FIELD: Excellent. Let me ask you just to boil it down. If you could give just one piece of advice to someone regarding data breaches and response, what would that be?
HEROLD: Well, the bottom line is be prepared. Document the security incident and privacy breach response plan, and then test it and make sure that you include the key stakeholders.The privacy and information security areas must collaborate to create an efficient and well thought out and documented plan, but they have to include input, information and advice from the legal areas, the IT areas, public relations, their outsourcing areas, their call centers and the HR areas. So the bottom line is, they must be prepared and donâ€™t just assume that a breach will not occur to them.
FIELD: Very good advice. Rebecca, I appreciate your time and your insight today.
HEROLD: Well, thank you very much. I enjoyed talking with you about the topic.
FIELD: Weâ€™ve been talking with Rebecca Herold. For more information about her upcoming webinar, please follow this link:
For Information Security Media Group, Iâ€™m Tom Field. Thank you very much.