"I've Been Breached - Now What?"7 Critical Steps for Effective Incident Response
How should an organization approach the likelihood (or inevitability) of a data breach? The prime directive regarding any emergency situation is clear: have a plan. Yet there's an applicable aphorism, ascribed to the boxer Joe Louis: "Everyone has a plan until they get hit."
In other words, reality tends to intrude abruptly and with force. In terms of dealing with a potentially devastating exposure of sensitive data - a laptop stolen, malware detected or customer data leaked - there are several harsh realities that must be well understood.
Among the seven tips offered by breach response experts: Protect evidence of the breach; keep senior management engaged; act quickly, but don't over-react.
7 Tips for Effective Response
- Use Technology Tools to Assess, Contain Damage
When you discover a data breach, the clock starts ticking on several fronts. That's why a detailed data breach strategy is such an advantage. "If you don't have a plan, you're going to have to create one in real time," says Alan Brill, senior managing director at security firm Kroll.
It's important to determine as quickly as possible what really happened - the incident might not be as bad as you fear. Brill points to a healthcare organization that discovered a laptop had been stolen off a rolling rack. The institution recently had downloaded several hundred medical records to laptops in that area. However, when the log records were checked, that particular laptop had not responded to the data download because, officials realized, it was already missing. Conclusion: No breach.
On the other hand, when there has been a breach, it's important to maintain all potential evidence. Disconnect from the network all systems involved, but don't turn them off - you might lose malware that lives in memory. Lock down all pertinent log files and audit trails before such evidence is written over or lost through routine purges. Also, you need to discover and stop any ongoing intrusion or data exfiltration. And the sooner you can get systems, applications and databases back online, the better for your business.
- Don't Try to Hide
If the incident reaches the threshold of a serious data breach (involving, generally speaking, unencrypted personally identifiable information [PII]), the individuals potentially affected - customers, clients, citizens, etc. - must be notified in a "timely manner." In the U.S. healthcare industry, rules for notification of a breach of protected health information (PHI) are spelled out under HIPAA. But broader federal regulations around data breaches are dragging. So for now, specifics are delineated on a state-by-state basis.
Even before notifying individuals affected, you may need to contact law enforcement, such as a state attorney general or even local law enforcement officials, depending on the circumstances of the incident. Some organizations, such as financial institutions, are required to notify industry-regulating agencies.
All this means that news about the incident will get out. And while the disclosure of a customer data breach might be embarrassing, or even harmful to your business, that's minor compared to the repercussions if your organization is discovered trying to suppress information of the event.
- Engage Your Management
You must recognize that a serious breach incident is a major corporate event. The participation of executive management, including IT and security management, in strategy and decision-making is paramount. Risk or insurance managers, privacy officials and corporate counsel must be involved from the start.
Other corporate areas may come into play. Human resources may be tapped to research personnel files for data about current or former employees. Public relations might monitor social networks for related developments and prepare a statement to be distributed internally. Customer support may start fielding calls about the incident sooner than you think.
Ellen Giblin, privacy and data protection group lead at the Ashcroft Law Firm, is an advocate of a process she calls accelerated breach response. This involves widespread data breach training, especially for those in areas likely to first encounter such incidents. In this scenario, a technology-based process would enable workers to report incidents or anomalies immediately. A well-versed data breach team, either in-house or third party, would analyze the details of those incidents and be able to take swift and specific action as needed.
- Be Prepared to Seek Outside Help
"The more complex the event, the less likely internal resources will be able to do what needs to be done," says Ronald Raether Jr., an expert in breach response and a partner at the firm Faruki Ireland & Cox PLL.
For example, don't assume that your IT department has the skills to conduct a thorough forensic examination - it may not. In fact, tech employees may be too close to the environment to be helpful in an investigation, Raether says. Some might even look to cover up mistakes that may have contributed to the incident.
Also, be aware that some states require forensics investigations to be conducted by licensed private investigators, says Kroll's Brill. "You don't want to discover six months from now in litigation that the people you hired weren't certified in your state," he says.
A PR firm experienced in crisis management specific to computer security will be a great asset. The same goes for experienced customer support personnel, especially after widespread breach notifications have been sent out.
The potential impact of data breaches is driving widespread interest in cyber-insurance, according a recent study by Ponemon Institute, sponsored by Experian Data Breach Resolution. Cyber-insurance can provide some backup, but check the fine print, says attorney Raether. Look for exclusions, restrictions and overly general language that might minimize a cyber-insurance policy's actual contribution. "It's good if it provides the type of protection relevant to the business," he says.
- Your Best Friend May Be a Lawyer
A data breach may be intentional or the result of an accident. It may involve paper documents, a mobile phone or a cyber-attack. Whatever way it happens, legal expertise is invaluable.
In-house counsel may not have the experience or depth of knowledge needed to address the various breach-notification laws that apply to each scenario in every applicable geographic area and to work closely with various law enforcement officials and forensic experts. That's why turning to an outside expert in the nuances of data breach law is often a good idea - and the sooner in the process, the better.
For one thing, an attorney specialized is this area will have ready access to the experienced staff and assets you need, including certified digital forensic investigators, PR professionals, even customer support staff that can double as detectives to spot bad actors attempting to exploit the situation, says attorney Giblin.
Another significant factor here is attorney-client privilege, which protects communication between the parties as confidential. By wrapping as much of the data breach investigation as possible in the attorney-client privilege, outside agencies will have less access to internal data and files.
There are several areas of potential litigation related to data breaches. A class-action lawsuit by consumers affected by a breach is a possibility, as is legal action by the U.S. Federal Trade Commission, which enforces security standards through civil prosecution of companies suffering major data breaches.
- Don't Panic
Is it possible to overreact to a data breach incident?
When online shoe store Zappos discovered a potential breach of as many as 24 million customer records in 2012, it notified its customers by e-mail almost immediately. Security experts praised the company for its swift action and for e-mailing its entire staff about the incident.
Yet, critics wondered whether it was a good idea for Zappos to pull its customer support personnel off 800-number product lines to help with customer e-mails concerning the incident. "Ideally you want to keep them on their day-to-day jobs, so your business functions are not disrupted," Raether, the attorney, points out.
Raether also is concerned with what he refers to as a "cry wolf" syndrome in connection with breach notifications. Some organizations flood their customers with notifications indiscriminately, potentially confusing the actual victims of the breach, who then don't take the actions they should in relation to the security problem. "Consumers become desensitized to notification letters," he says.
- Learn Your Lesson(s)
A data breach, painful as it is, can be a learning experience. You should be prepared to create a post-incident document that details what happened, how it was addressed and offers recommendations for future actions.
A digital forensic investigation may help point out security holes in the organization's infrastructure. Also, a breach incident may be the impetus needed to enforce widespread use of data encryption. The same may be true for data mapping, which helps an organization keep track of its digital assets down to the record level.
Just be sure that the lesson you learn from a data breach isn't this: "I wish I'd had a plan!" A detailed data-breach response strategy will make the difference between reacting effectively and floundering. Says Kroll's Brill: "Those organizations that make some plans, that practice and have a bench of support, and then carry those plans out, they get through this."