[BreachExchange] 4 Questions Every CEO Must Ask After a Hack

Mon Nov 6 19:02:43 EST 2017

https://www.inc.com/schuyler-brown/4-questions-every-ceo-
must-ask-after-a-hack.html

There are four words no executive wants to hear from their IT team:
"There's been a breach." Your mind starts racing. You have a thousand
questions, but your team has few answers. They're too busy scrambling to
shut down systems and figure out the extent of the data breach.

We all understand how critical those early minutes are from a technical
perspective, but few recognize their relevance from a legal and regulatory
perspective. I spoke to Jennifer Reuhr, Adobe's legal counsel on privacy
and security, and she helped shed some light on the matter for
entrepreneurs and small business owners everywhere.

To understand your legal exposure, Reuhr says, start by asking these four
questions:

1. What information was impacted?

It's important to understand whether the breach included any personally
identifiable information (PII). Regulators hold you to a much higher
standard if that data includes things like email addresses, phone numbers,
or health information.

If such information was included, Reuhr recommends assembling a team of
 "internal and external parties such as forensic investigators, outside
counsel, and your insurer."

She continues:

"It could be a good idea to bring in some internal parties right away, like
customer care and communications even if legal obligations for
notifications are still being reviewed. You'll want the input and
experience of teams who understand the customer's perspective in addition
to determining the legal obligation."

2. How many customers were impacted?

The number of customers impacted will inform both your communication and
legal strategy.

"Most regulations don't have [minimum] threshold of impacted users to
notify individuals," says Reuhr. But the smaller the number, the more you
can focus on direct communication with customers.

As the number increases, you may need to anticipate class action lawsuits,
unwanted press coverage, and damage to your brand's reputation?

3. What geographies were impacted?

"The triggers for who needs to be notified and when will differ based on
where the individual resides" says Reuhr. There are 49 different regulators
in the United States alone that each govern different jurisdictions. If any
European Union citizens were impacted, there's even more red tape for you
to navigate.

"In Europe, the definition of what is personal data is pretty expansive,
whereas in the U.S., most state and federal laws are sector specific or
focused on sensitivity of the data (e.g. financial, health, national ID),"
Reuhr adds.

Each regulator has different timelines for breach notifications and the
clock is ticking. You need to quickly identify which are relevant so that
your lawyers can contact the appropriate regulators.

4. Do we have logs?

For anyone unfamiliar with the term, logs are a historical record of
actions taken on a database or server. Think of them as an audit trail to
understand who did what, when, and where. They are essential to help your
technical team understand the scope and source of the damage, but they also
play a regulatory role.

Remember that privacy policy you wrote all those years ago? It may make
representations about how data is stored, accessed, analyzed.

If it does, regulators may require evidence that your team followed any
defined policies and procedures. That means you'll need logs to demonstrate
what monitoring was in place and how your team responded.

If any of your contracts include Service Level Agreements (SLA) that commit
to providing clients with privacy protections, you may also need those logs
to demonstrate to clients that you have fulfilled your contractual
obligations.

Make sure that your IT, engineering, and security teams are familiar with
these questions in advance. You do not want them to waste valuable hours
trying to track down answers during a breach only to discover that they do
not have sufficient monitoring in place.

Invest the time to develop a common vocabulary, set expectations and define
a formal response plan that assigns roles and responsibilities before an
incident ever occurs so that no one is surprised to hear these questions
during the stressful aftermath of a data breach.

That shared understanding can help everyone involved establish priorities
and focus in what can otherwise be a pretty chaotic time. It will also
ensure that your team has put in place the monitoring necessary to answer
these questions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171106/f4ef36c8/attachment.html>