[BreachExchange] Cybersecurity: How to Handle the Nontechnical Aspects of a Data Breach

Destry Winant destry at riskbasedsecurity.com
Thu May 21 10:21:17 EDT 2020


https://biztechmagazine.com/article/2020/05/cybersecurity-how-handle-nontechnical-aspects-data-breach

Companies today are under constant attack from increasingly
sophisticated threat actors, and businesses often go weeks or months
before becoming aware that they’ve been breached.

But once a business does become aware of a cybersecurity incident,
what should it do? Sure, it needs to activate its incident response
plan, and that plan should outline roles, responsibilities and
timelines critical to mitigating and remediating the damages from a
cybersecurity incident.

But what about the other aspects of a breach? How should the business
respond to a threat actor’s demand for a ransom payment? How should it
handle notification to the public, insurers and authorities? Questions
like these are not technical in nature. But they should be addressed
in the business’s incident response plan. Here are the key steps.

When Protecting Your Data, Prepare for the Worst

Every organization should start by creating a data “map” showing where
its sensitive data is and how many places it is replicated, sometimes
needlessly, across the IT system. Then look at where the business
operates, taking note of the national and state laws that apply in
each location. How do these laws define the type of data — usually
personally identifiable information — that is protected, and what do
they say about notice and mitigation responsibilities in case of a
breach?

Since the costliest cybersecurity incidents often involve the
business’ use of third-party vendors, businesses should review vendor
contracts to make sure they include the same level of cybersecurity
protection and due diligence that the business imposes on itself, and
they should include indemnification and insurance just in case the
vendor’s systems are breached.

Every incident response plan should be in writing and approved at the
highest level in the organization. Incident response planning is not
strictly an IT issue; a business’s data is as important to the capital
value and revenue potential of the company as its physical offices or
manufacturing facilities, and often more so.

Categorize stakeholders as “responsible,” “accountable,”
“consultative” or “informed.” The plan should describe the business’
data breach response team with an allocation of roles for
investigating, mitigating and informing necessary parties about any
cybersecurity incident. The team should regularly assess and document
the effectiveness of the plan and make required updates as security
incidents become more sophisticated. A dusty plan sitting in a desk
doesn’t work; continuous revisions are essential.

Know What's Required After a Breach

When a breach is detected and the response plan is invoked, moving
quickly is critical to managing the implications to the company brand
and financials.

Stopping the breach is, of course, the first order of business. When
that’s done, analyze the scope of the incident, the type of data
involved and the affected individuals so that the business can manage
the post-incident repercussions. Management and corporate relations —
not the IT staff — should assess communications outside the company.
Have the legal department (or outside counsel) assess the statutory
duties to inform affected individuals, insurance carriers and state or
federal officials.

All 50 states and the District of Columbia require notification on
some level, depending on the type and extent of the affected data. And
federal laws such as the Gramm-Leach-Bliley Act require notification
of data breaches for specific types of financial data. Businesses that
operate internationally must consider whether the overarching
provisions of Europe’s General Data Protection Regulation apply. And
don’t forget to check the business’ own privacy policies and
contractual commitments, which may require a higher duty than the
relevant laws.

Whatever the particular legal requirements, it’s almost always best
when news of a breach comes from the company rather than being leaked.
Some companies have attempted to hide data breaches that later became
public. The result is always negative for their reputation and brand
value.

However, the details you must disclose after a data breach depend on a
combination of legal and contractual requirements, including the types
of data breached, the extent of the breach and the source of the
breached data. A best practice is to have a template letter that the
business’ legal counsel can adapt as part of its incident response
plan. The template should include the date of the notice, the entity
notifying the affected individual, contact information for questions,
a brief description of the incident, the date of the breach (as best
as the business can tell), the types of data breached, the
organization’s efforts to contain the breach and prevent similar
future breaches, and contact information for the applicable credit
reporting and government resources (if necessary). The letter comes
from the highest position within the company, as the official voice of
the company, in responding.

To Pay or Not to Pay

Should a business that is victimized by a ransomware attack pay the
ransom? It’s a complicated question.

The FBI recommends not paying in almost all cases. But it is not their
company at risk, and there have been many cases where a company’s
management decided to pay ransom in hopes of receiving a promised
encryption key to unlock their data and contain the incident.
Certainly, there is no guarantee that the threat actor will supply the
encryption key once paid. And the malware may damage the data, making
it unusable even with the encryption key.

But these types of decisions are strictly business decisions — not for
lawyers or authorities — and the decision-makers are ultimately
responsible to their investors and other stakeholders for this type of
cybersecurity incident, as they are for every other major corporate
decision.

Plan, respond, mitigate, rehabilitate: four words that need to be part
of every discussion on cybersecurity.

Now comes the hard part: remediation.

After the fire is out and the smoke clears — the business has
implemented its incident response plan successfully — it’s time to
pick up the pieces and move forward. Internally, the response plan
needs to be amended to account for the lapse that created the
incident. The business’s internal data maps and data systems need to
be augmented, which may mean allocating more money to IT security
budgets.

Externally, conduct damage control. Partner with the organization’s
cyber-insurance carrier to address the very real concerns that
customers may have about any release of their personally identifiable
information. This includes implementing credit monitoring or identity
theft insurance programs for them (use this as a positive PR
opportunity to convey that you care about your customers and their
plight without admitting liability).

Once again, address any legal concerns, including compliance with
statutes and regulations and reporting any criminal activities — and
document everything. Just because the business has moved on from a
security incident doesn’t mean that affected individuals (and their
attorneys) have. In many U.S. jurisdictions, there is private civil
action these individuals can take against the company. In any court
proceedings, business records demonstrating that the organization
acted in a commercially reasonable manner consistent with industry
standards and statutory requirements are essential in minimizing
exposure.


More information about the BreachExchange mailing list