[BreachExchange] Planning for the Perilous Consequences of a Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 15 18:50:59 EST 2018


The nightmare scenario for corporate boards and senior executives revolves
around the impact of a major data breach. We have seen this first hand with
Equifax, Anthem Healthcare, and Target, as prime examples.  In the Equifax
case alone, it is estimated that approximately 140 million individuals had
their information hacked in the attack.  It is easy to understand, in these
circumstances, that a company can easily be fighting for its life.

The risks start from negative publicity, Congressional intervention and
hearings, extend to breach remediation costs (technical and legal),
corporate governance challenges, and the inevitable follow-on collateral
litigation.  Costs from a data breach are mounting and companies can no
longer ignore the impact of such an event.  Given the potential devastating
impact, companies have to secure cyber insurance as part of an overall
compliance and remediation strategy.

A Data Breach Emergency Protocol is a critical component of every
Cybersecurity Compliance Plan.  A data breach has to be defined as the
unauthorized collection or disclosure of sensitive information, personal or
business secrets, to a party inside or outside the organization.  To
protect against such attacks, companies employ a variety of strategies
through firewalls, security divisions, strong authorization protocols and
passwords to protect sensitive data.

In the simplest terms, a hack can occur from someone obtaining a valid
username and password to enter the company’s network.  With the advent of
cloud computing and complex hacking techniques, current security strategies
are quickly becoming outmoded.

Companies are now focusing on strategies to protect the sensitive data
itself through encryption strategies.  Each individual user has to be
authorized at a second-level of protection to access the sensitive data

Every state has established data breach notification requirements.  Despite
numerous attempts, Congress has been unable to establish a federal standard
that may preempt state requirements.  The individual state laws usually
define a data breach, who has to be notified, what form the notification
should take, what remedial action has to be taken, and the legal
punishments for failure to comply with these requirements.

When customer information is breached, companies have to establish where a
customer resides for purposes of determining which state law may apply.
Breaches that involve personal, health, and financial data require robust
notification and remediation efforts.

The costs of notification are just the beginning – customer support for
individuals who need assistance as well as compensation for damages and
replacement for new credit cards, for example, can quickly add to a
company’s costs to remediate after a data breach.

Given the increasing burden being imposed by the states, companies need to
ensure prompt and comprehensive notification and remediation plans.  If a
company fails to comply with these requirements, the headaches, legal
consequences, reputational damage and penalties can increase exponentially.

A company’s response to a data breach is the most critical step that a
company can take to limit the damage to its reputation.  When faced with a
data breach crisis, a company has to rally around a comprehensive plan,
stick to the scripts, and address issues as they arise.  An emergency
response can never anticipate every issue, but a plan should have
contingencies for most significant responses.

More companies are employing proactive technical protections against data
breaches.  A company that segregates and encrypts its sensitive data may be
able to protect against a data breach as defined under state laws.  An
unauthorized intrusion may not be able to extend into the encrypted data.
As a result, encryption can create a safe harbor for a company from data
breach notification requirements and consequences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/cb807a3a/attachment.html>

More information about the BreachExchange mailing list