[BreachExchange] Timing Is Everything in Data Breach Investigations

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 2 19:09:51 EDT 2016


http://www.lexology.com/library/detail.aspx?g=b3033bdf-64ef-43eb-a90a-
a00b343a41a2

In cybersecurity, it's best to learn from others' mistakes. Every company
now has an opportunity to learn a lesson that Yahoo might have to learn the
hard way: delays in discovering, investigating, and disclosing data
breaches can cause huge problems.

Yahoo recently announced the compromise of more than 500 million user
accounts in what appears to be the largest reported data breach in history.
Experts have opined on several potential fallouts from the breach,
including the possible collapse of Verizon's $4.8 billion bid to purchase
Yahoo and the end of the Web's reliance on passwords and security
questions. But it's the timing of Yahoo's actions that may prove to be the
most instructive aspect of this breach.

Although the data breach reportedly occurred in late 2014, it was allegedly
not discovered until the summer of 2016 and not made public until September
2016. The public announcement came just two months after Yahoo announced
Verizon's bid to buy its operating assets, and mere weeks after Yahoo
reported to the Securities and Exchange Commission that it knew of no
incidents of unauthorized access of personal data that might adversely
affect the proposed acquisition.

Members of U.S. Congress have referred to the apparent delays as
"unacceptable," and at least one senator has requested an investigation by
the SEC, raising the possibility that Yahoo has not fully complied with the
SEC's 2011 Guidance Concerning Cyber Security Incident Disclosure.

Whatever the outcome for Yahoo, the events serve as a reminder to all
companies: when it comes to data breaches, delay – or even the perception
of delay – can dramatically increase risks and can draw increased scrutiny
from regulators, press, and potential plaintiffs.

Happily, companies can take several measures to help guard against such
costly delays:

- Detect – Implement comprehensive and rigorous written information
security policies containing monitoring requirements, periodic technical
assessments, and other measures that will help ensure your company detects
data breaches in a timely manner.
- Respond – Prepare your incident response plan before the emergency
strikes. Be sure it enables your response team to swiftly investigate,
respond, and resolve incidents. Taking the weekend off after a potential
breach might be the difference between a false alarm and the front page.
- Special Cases – Companies in regulated industries, sensitive public
relations situations, or pivotal business maneuvers (such as mergers and
acquisitions) should ensure that these special circumstances are
appropriately addressed in their incident response policy. Perceptions of
negligence or dishonesty can cause an already-difficult situation to
rapidly deteriorate.

In short: prepare in advance and stay vigilant. Paying attention to your
company's cybersecurity posture and being mindful of the urgency of
cybersecurity compromises can help your company avoid being the next Yahoo.
For more information or to ensure your cybersecurity policies are effective
in protecting your business, contact a Dinsmore attorney.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161102/dba8d105/attachment.html>


More information about the BreachExchange mailing list