[BreachExchange] Are You Prepared? Five questions to ask about your company’s data security protections

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 31 20:41:27 EST 2018


Stories of massive data breaches have filled recent headlines. Uber
recently confirmed that hackers had stolen more than 57 million driver and
customer accounts and that the company had paid a $100,000 ransom to the
hackers. Washington State and the City of Chicago are pursing multi-million
dollar consumer protection lawsuits against Uber, dozens of private
lawsuits have already been filed and a criminal investigation may be in the
works, given that a number of high-ranking officers at Uber were allegedly
aware of the breach for months before the company disclosed it to the

Remarkably, the breach at Uber pales in size and seriousness to the recent
high-profile breaches at Yahoo and Equifax. Yahoo announced in 2016 that
one billion of its accounts had been compromised. Equifax confirmed in
September 2017 that sensitive information, including Social Security
numbers and driver’s license numbers, for 143 million American consumers
had been compromised.

Although massive breaches at large companies garner the most media
attention, data security is critical for companies of all sizes. Indeed,
given constant attacks and severe potential civil and criminal penalties
looming for companies and their employees, the current climate requires
that today’s businesses understand how to protect data and how to respond
in the event of a breach. Every company should have an Information Security
Plan (ISP) that sets forth, in writing, it policies and procedures
regarding privacy and data, and an Incident Response Plan that establishes
clear directives about how to respond to a data breach.

Below are five questions every company should ask in order to determine the
current status of its data security protections and its plan to remedy and
report any breaches of company data.

Do you have a privacy officer and a security officer? Every company should
designate a privacy officer and security officer so it is clear who is
responsible for monitoring and enforcing data security. In addition to
ensuring accountability, giving individuals those specific roles also
grants them the formal power to enforce company policies.

Have you done a thorough inventory of company’s information and its life
cycle? Data security is industry and company specific. Each company must
undertake an honest, and potentially critical, assessment of its
information assets, how those assets are utilized, and its current
processes and policies. This should include both electronic and hard copy
assets. For example, a company should consider what information is
collected, how it is gathered, and what happens to it after it is utilized.
It should also include an analysis for where the information is stored and
who has access to it. Thereafter, it should assess whether it truly needs
that information, and when it can be discarded. Using outside counsel or a
third-party consultant may help keep this assessment objective.

Do you have a backup plan? Preparation for a data breach can decrease the
costs of managing a data compromise. If your office is hit with a data
breach or ransomware, do you have a backup plan? Is your electronic data
regularly backed up and are the backup data files stored securely offsite?
Do you have backup paper records? Due to technological advances, creating a
back-up plan is often less expensive and intensive than many businesses
might believe.

Have you created a culture of privacy? No ISP will be truly effective
unless a company instills the belief in its employees that privacy is a
core value of the organization. There must be buy-in from the C-suite.
Although the control and movement of information is often determined by
staff or IT advisors, it is important that top levels of the organization
create the expectation that employees take privacy and security issues

Have you reviewed your vendor contracts? Many businesses enter into
third-party contracts with vendors to help their operations run smoothly.
However, this often creates vulnerabilities. Indeed, the Uber breach
occurred on a third-party server. When a company delegates tasks to third
parties beyond its control, a company must review its contracts with these
entities to ensure that each vendor’s security procedures are consistent
with its ISP. In these instances, it is often helpful to have legal counsel
review these contracts.

If a data breach does occur, a company must have an effective Incident
Response Plan that will identify the scope of the breach, limit the breach
to the extent possible and effectively protect customers. In responding to
a breach, companies must navigate a complex minefield of federal and state
regulations that impose administrative, civil and even criminal penalties.
However, a common element of most regulatory requirements is prompt
notification of customers. Companies must also be prepared to take
available steps to remedy the situation to the extent possible.

The importance of having an effective ISP and Incident Response Plan cannot
be overstated. In some cases, it is not just good practice, but it is
required by law. Additionally, customers have come to expect good
cyber-hygiene from the companies with whom they do business. If you need
help determining which laws your company is subject to, and what those laws
require, contact an experienced cybersecurity lawyer, who can help you
navigate this critical process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180131/1ed6ce1c/attachment.html>

More information about the BreachExchange mailing list