[BreachExchange] Data Breaches: Are You Ready (for the inevitable)?

Inga Goddijn inga at riskbasedsecurity.com
Wed May 25 18:54:45 EDT 2016 

http://www.jdsupra.com/legalnews/data-breaches-are-you-ready-for-the-23100/

In 2015, identity theft occurred every two seconds, disrupting the lives of
13.1 million people, according to Javelin Strategy and Research. Year after
year, U.S. data breaches have hit record highs, reports the Identity Theft
Resource Center.

Responsibility for cyber security has risen to the “C” level, where
executive officers and boards are now accountable for appropriate oversight
and safeguarding of the personally identifiable information (*PII*)
collected. Every company needs to be focused on preventing, detecting, and
responding properly to a data breach.  Your company needs to have a
security plan and a response plan in place *before* a data breach occurs.
Historically, companies have been concerned primarily with damage to their
reputation resulting from a data breach incident.  But the damage is
worsened if it turns out the breach could have been prevented!

PII includes your name, address, birth date, account numbers, email
addresses, passwords, and Social Security Number. It is virtually
impossible to be in business today and not collect or store PII.

*Preventing data breaches.  Be Proactive.*

*Step one* is using best practices to prevent data breaches and their
resulting damage to your business’s finances, reputation, customer
relationships, and image.

Breaches can occur in countless creative ways but, in general, fall under
three main categories:

   - Theft or loss of physical equipment, such as laptops, smart phones,
   tablets and other mobile and storage devices.
   - Illegal entry to deliberately access PII through hacking, viruses or
   other methods.
   - Inadequate oversight caused by lax system security.

The common denominator in most breaches is a current or former employee or
vendor. The data breach might be the intentional act of a disgruntled
person, or an employee tricked into opening a message that appears to be
genuine but is actually meant to break into your computer system by
malicious scams such as “phishing”, fake credentials, phony applications,
and other clever social engineering tricks.

The most important *proactive* step a company can take to prevent a data
breach is to have a comprehensive written information security plan (WISP)
in place that identifies what PII the company collects, how and where it is
stored, and who has authorized access to it.  The plan should be
implemented on an enterprise-wide basis (throughout the company, not just
in the IT department), and it should be tested periodically to identify and
manage any security risks and to ensure that all employees and vendors are
complying with the plan.

*The key elements of an Incident Response Plan.*

*Step two* is the creation of an Incident Response Plan, the go-to game
plan with detailed action steps in case a data breach happens. Your
response plan should be documented in writing and regularly updated and
tested.

Your Incident Response Plan should address *key questions*:

   1. *Who’s on the team?* Many people should be at the table, including
   in-house personnel and outside vendors (including some you may wish to have
   on retainer in case a data breach occurs). Legal counsel should provide
   guidance about legal requirements, including applicable notice requirements
   in your business’s home state and in the states and countries where your
   customers or clients reside. Public relations personnel, skilled in crisis
   management, should have draft notification letters (ready in advance of a
   breach) – that are honest but calm – explaining the breach and the
   remediation steps you are taking. IT experts must be engaged in advance,
   standing ready to investigate the cause of the breach and take immediate
   steps to contain the damage.
   2. *Who’s in charge?* One person must serve as project manager or team
   leader – the primary decision maker. The team reports to this person, who
   in turn reports to executives (and the board). The leader must be capable
   of sharing technical and legal information clearly, consistently, and
   without jargon.
   3. *Who needs to be notified?*  Legal counsel will help you determine if
   notification is required and who needs to be notified.  This will depend on
   whether you can determine what PII was accessed, whether it was strongly
   encrypted, and what was done with the PII that was exposed.
   4. *Should law enforcement be contacted?* This is a delicate issue,
   since the information involved is often proprietary.  Legal advice is
   needed to determine whether law enforcement must be contacted.  Businesses
   should build relationships with law enforcement agencies in advance, so you
   are not calling the FBI, Secret Service, FTC, state attorneys’ general, or
   Homeland Security out of the blue. Law enforcement agencies can sometimes
   advise businesses on data security practices and even assist them with
   table-top exercises to look for problems and help plan a response to a data
   breach.
   5. *What recourse will be offered to victims?* After breaches, most
   companies offer customers some form of remediation, often free credit
   monitoring. These steps will be determined once your response team
   determines what PII was accessed, what harm has been caused by the breach,
   and whether the data was just viewed or duplicated.
   6. *What’s the budget?* Incident Response Plans often rely heavily on
   outside professionals and vendors to perform the legal analysis, technical
   and forensic investigations, external and internal communications, credit
   monitoring, and other steps the plan provides for – all of which is
   expensive. Increasingly, businesses are purchasing cyber insurance to cover
   the costs of data breaches.

*Don’t wait for an emergency!  Plan for the inevitable.*

After a data breach occurs is not the time to be writing a plan and
drafting letters.

The Incident Response Plan is essential to being ‘crisis-ready’. Bringing
on an experienced firm that can help you plan for and implement practical
solutions to privacy threats and breaches and advise your business on
protecting data is critical. Solutions vary by industry, due to state and
federal laws and regulations, but with diligent guidance, businesses can do
their utmost to protect their reputations and their customers from data
breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160525/458c8f52/attachment.html>

More information about the BreachExchange mailing list