[BreachExchange] Cybersecurity Incident Response: Who You Gonna Call?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 18 20:18:56 EST 2017


http://www.jdsupra.com/legalnews/cybersecurity-incident-response-who-you-
26116/

Who should you call when you suspect, or are certain of, a data breach?
Data breaches and other cybersecurity incidents have become of a fact of
life.  Yahoo! recently disclosed that data for over one billion users was
compromised in 2013.  Hundreds of incidents affecting millions of records
were reported in 2016 alone.  So when — not if — your company suffers a
breach, a prompt and effective response is crucial.

Below I examine who you should call, even if you’re not required to; who
you must call, by operation of statute or regulation; and who you can call,
if circumstances warrant.

The Experts: Who You Should Call

An effective response requires knowing the extent of the breach: was there
actually a breach, and if so, what kind and how much data was compromised?
A technical expert that specializes in breach response can help answer this
question, and therefore should be one of your first calls.  Beyond
identifying the scope of the breach, a technical expert can also help
identify the cause of the breach, removing that vulnerability, and making
your systems more technically secure to safeguard against future breaches.
Crucially, these experts should be able to accomplish these tasks in a
manner that preserves existing data.  Data preservation has practical
benefits (such as allowing accurate after-the-fact analysis of the breach),
but also is vitally important in the event litigation arises from the
breach.  A judge or jury could presume that lost evidence is harmful to you
— even if it was not intentionally destroyed.

A data breach is likely accompanied by myriad legal ramifications, which is
why a call to a legal expert – such a law firm with breach response
experience (Foley Hoag, which maintains an in-house Cybersecurity Incident
Response Team, is one of them) — should also be a priority.  Most states
have mandatory reporting laws, and there are often additional laws (some of
which overlap) in play.  Beyond identifying the necessary immediate
actions, an experienced legal team can help sort through other
implications: What is the possible exposure from lawsuits by consumers?  Is
the cost of the breach covered by any of the company’s insurance? Is there
any beneficial non-mandatory notification or reporting that should be done?

Depending on the capabilities of your organization, in-house personnel
could perform some of the same functions.  But even in large, sophisticated
companies, independent technical and legal teams that specialize in
incident response can bring unique expertise and a fresh perspective, and
thus can prove invaluable.

Mandatory Reporting: Who You Must Call

As discussed above, most U.S. jurisdictions have statutes and regulations
that mandate notification and reporting in the event of a breach.  Although
the details vary from state to state, notification and reporting is
generally triggered by the unauthorized use or access of unencrypted
personal data (or encrypted data if a third party has potential access to
the encryption key): for example, first and last names accompanied by a
Social Security number, driver’s license number, bank account information,
or credit card number.  Other laws may have specialized notification and
reporting requirements, such as HIPAA for health data (depending on whether
it applies to a particular organization) or EU regulations, if the breach
affects EU citizens.

You probably will need a legal expert to determine whether your incident is
a breach, whether that breach triggers notification requirements, and, even
if there are no legal obligations, whether notification and/or reporting is
nevertheless prudent.

The applicable mandatory notification and reporting laws can also carry
different requirements. Notification to those whose data was affected is
the most common.  Certain laws may also necessitate notification of law
enforcement (which is normally the state’s Attorney General office,
although in any particular case notifying the local police department or
the FBI might be necessary).  Other laws may require reporting to a credit
agency (often this depends on how many people are affected).  Further
complicating matters, the laws often come with strict timing requirements,
and late reporting can prove costly.

You night also have contractual reporting requirements, the most common of
which is reporting to an insurance carrier.  (Failure to report to your
insurer probably isn’t a crime, but losing coverage because of not
reporting might as well be.)

Further Notification: Who You Could Call (If It Makes Sense)

Apart from assembling your team of experts and issuing the proper
notifications, there might be strategic reasons for voluntary reporting to
certain groups.  For example, you might wish to voluntarily reach out to
law enforcement.  This could seem contrary to common sense — why would I
want to invite the FBI to investigate me and potentially take control of
something that has affected my company? — but it could make strategic sense
to proactively get out ahead of any issues.  Your legal counsel can help
you weigh the pros and cons.  Similarly, you might want to voluntary inform
consumers, even if you don’t have to.  Candor can foster goodwill, and
again, having the right story — your story — out first can forestall
headaches down the line.  Hiring a public relations expert could be
important so you can help communicate to the broader public, if necessary.
Finally, internal communication might be warranted.  For example, you might
want to develop a policy regarding commenting on the breach and distribute
them to employees.  An experienced response team can help you analyze your
situation and make the right calls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170118/1ab45085/attachment.html>


More information about the BreachExchange mailing list