[BreachExchange] Feeling Lost in a Storm After Suffering a Data Breach?

[Audrey McNeil]

http://www.jdsupra.com/legalnews/feeling-lost-in-a-
storm-after-suffering-36457/

When faced with a data breach, it’s easy for companies to feel like they’re
attempting to navigate a storm without a rudder.

To provide a guiding light to companies, the Federal Trade Commission
(“FTC”) recently issued a guide for businesses, with an accompanying video
and blog post, on how to handle a data breach response. While every data
breach incident is unique, the FTC’s guide provides a primer, enabling
businesses to understand what regulators expect to be done following the
compromise of personally identifiable information held by a company.

The FTC’s guide starts with the assumption that the company has suffered a
data breach. Often, the determination of whether or not a breach has
actually occurred is not answered so easily, requiring extensive
investigation and complex digital forensic analyses to determine the
specific facts concerning the incident and what information, if any, may
have been compromised. As with all aspects of a data breach response, this
determination is entirely dependent upon the specific circumstances
surrounding the potential security incident. Building from this assumption,
the FTC explains what steps a company should take to address the breach.

Secure Your Operations

The FTC explains that a company must have a sense of urgency and quickly
move to fix the vulnerabilities and plug the leak. Ideally, companies have
already created an Incident Response Plan (“IRP”) they can trigger to
effectively and efficiently address a data security incident. For companies
without an IRP, it is recommended that one be developed in a manner that is
tailored to account for the company’s resources and obligations. The
process of creating an IRP will cause a company to identify an appropriate
team of stakeholders and first responders to provide a comprehensive breach
response.

The Incident Response Team (“the Team”) should include individuals with
ownership over business units throughout the enterprise, such as:

information technology,
financial affairs,
human resources,
legal affairs,
marketing and communications,
and should include representation from executive management.

The team membership should have decision-making authority to quickly set a
course of action in the midst of a digital crisis. Additionally, this team
should include third party resources with forensics capabilities to
determine the source and the scope of the breach, and to contain and
remediate as quickly as possible. It should also include legal counsel to
ensure that efforts are in line with the company’s legal obligations.
Ideally, the team will have had a chance to practice, or test, the IRP
before a crisis arrives to ensure that everyone is familiar with their
roles and responsibilities. When the crisis does arrive and the team is
assembled, the work begins.

The FTC expects that following discovery that a data breach has occurred, a
company will work expediently to secure its operations. The company is
expected to secure physical areas that were compromised and stop additional
data loss (for example, by severing the connection between a stolen laptop
and the company’s servers). If information was improperly posted online, a
company should remove it as soon as possible, to the extent possible (this
ability might be limited where the information is posted on a third party
website). Finally, the company should interview the individual(s) who
discovered the breach and be sure that any forensic evidence gathered is
NOT subsequently destroyed. These efforts should be conducted at the
direction of the response team, and under the direction of legal counsel in
order to preserve privilege over documents created in anticipation of
anticipated legal action.

Fix Vulnerabilities

After the company has prevented further data loss and understands what
happened to cause it, the FTC explains that the next step is to right the
ship. Companies should take what they learn about the nature of the breach
and look towards how they can prevent a recurrence. This may mean looking
into relationships with service providers or making sure that a company’s
network is properly segmented to limit access to sensitive information.
Here is where a company’s forensics experts (either in house or external)
can be of particular utility to figure out precisely what went wrong and
what can and should be done going forward.

Further, following the announcement of a data breach incident, a company
may suffer a loss of confidence in their clients, customers, or other
stakeholders, even when there was little that could have been done to
prevent the breach. Therefore, a company is well-advised to create a
communications plan covering how the news of the breach incident will be
addressed, ensuring a consistent, unified, and accurate message that
doesn’t inadvertently mislead.

Notify Appropriate Parties

The final step of a company’s breach response is to recognize that there
may still be rough regulatory waters to navigate. Once the company knows
what information has been compromised, if any, it may have legal
obligations to notify consumers or other companies of the incident. Some
states have statutory requirements dictating that companies must notify
individuals and state attorneys general when certain threshold requirements
are met and, in some instances, within certain time periods from discovery
of the breach. A number of states have different requirements that must be
taken into account as a company moves forward in the breach response
process. More information on what each state may require is available via
DWT’s State Data Breach Heat Map.

Even without a strict legal obligation to notify individuals, business
partners, or law enforcement, there may be certain benefits for a company
to make voluntary notifications in many instances. Additionally, certain
additional notification requirements may apply if certain data is at issue
such as protected health information or payment card information.

When a company decides to notify individuals and regulators, it must comply
with each state’s statutory requirements for the content, method, and
timing of those notifications. For individuals, the FTC recommends
considering the offer of at least a year of free credit monitoring to
remediate potential harm, where appropriate. While each state has different
specific requirements, there are certain broad commonalities among the
states such that the FTC has provided a model letter that can be used as an
outline for companies to build upon for their own notification efforts.

Conclusion

Addressing a data breach incident can be quite daunting, particularly given
the need for a prompt and effective response to the situation. Companies in
the best position to react are those with an IRP which addresses, among
other things, each of the points addressed in the FTC guidance. The IRP
should also be practiced, or tested, so that the company experiences the
response before the crisis arrives.

Additionally, given the increasing likelihood of litigation arising from
data breach incidents, companies should engage legal counsel to direct
response efforts in order to properly navigate legal liability and preserve
privilege over certain documents where appropriate. The compromise of
sensitive information need not cause a company to shipwreck. If a company
reacts quickly, effectively, and in line with the guidance issued by the
FTC, it should be able to weather the storm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161115/ff652d4a/attachment.html>