[BreachExchange] Before the Breach: Best Practices and Policies to Minimize Risk

Destry Winant destry at riskbasedsecurity.com
Mon Oct 22 23:19:42 EDT 2018


The United States has experienced the most cybersecurity breaches in
the world and the Equifax Breach was one of the first to be considered
a “mega breach.” The headlines immediately attempted to lay the blame,
in large part, on the fact that Equifax’s chief information security
officer was a music major and did not have a background in technology.
Equifax was not special in this regard. In fact, recent research
reveals that about 60% of information security stakeholders have an IT
background, but about the same amount lack formal technical
training[1]. That being said, there is no body of evidence that
indicates a direct correlation exists between an information security
stakeholder’s non-technical background and the likelihood of a breach.

If having a skilled technical staff isn’t critical, then what
arrangements should a company have in place to mitigate the occurrence
of a data breach and to avoid the fines and penalties that can follow?
In the absence of a law that contains prescriptive requirements (e.g.,
the Health Insurance Portability and Accountability Act (HIPAA)), the
answer is generally that a company should implement a “reasonable data
privacy and security program” under all circumstances.

The standard of a “reasonable data privacy and security program” has
been relied upon by the Federal Trade Commission (FTC) in data privacy
enforcement actions for years and was recently added to a number of
state data breach notification laws as a requirement. Additionally,
beginning in May 2018, companies subject to the General Data
Protection Regulations (GDPR) have a duty to maintain appropriate
technical and organizational measures to safeguard personal data,
taking into account available technologies; costs of implementation;
and the nature, scope, and purposes of processing personal data. Note
that this is an organic expectation. The technologies existing in 2018
will undoubtedly differ from those that exist in 2020.

The FTC considers that ‘reasonable security’ doesn’t mean ‘perfect
security.’ However, some of the enforcement actions provided thus far
shine light on what it does mean, which includes:

Companies should have written data privacy and security policies and
procedures in place.
Companies should implement training on those policies, procedures, and
best practices to increase awareness of the threat landscape (e.g.,
phishing emails) and to create a culture of empowerment rather than
For companies that process large quantities of personally identifiable
data, it would be considered reasonable to hire an outside vendor to
perform an information security risk assessment on a regular basis to
identify network and system vulnerabilities.
Companies should implement solutions for the high risk vulnerabilities
and conduct continuous monitoring of the network and system strengths
and weaknesses.
Companies of all sizes should have a written security incident
response plan in place before a breach occurs and the plan should be
tested at least annually.

Even the best security program is not bulletproof. Breaches will
continue to occur because cybercriminals and malware continue to grow
more sophisticated than the solutions that companies implement. Yet,
there are quantifiable benefits for establishing a reasonable data
privacy and security program.

First, companies that build and maintain a reasonable privacy and
security program are typically subject to reduced fines and penalties
in the event a consumer complaint or a breach is brought to the
attention of a regulator. Regulators routinely request the information
listed above in order to determine the level of seriousness with which
a company takes its duties and responsibilities to protect personal
data. Companies that provide proof they take data protection
responsibilities seriously are less likely to suffer extreme financial
losses than those who don’t.

The penalty-reducing benefit of establishing appropriate
administrative, technical, and physical breach prevention practices is
especially significant for businesses within scope of the GDPR because
of the astronomic size of fines that can result from violation of some
of the directives. Further, businesses subject to the HIPAA Privacy
and Security Rules also realize smaller penalties when they can
provide the Health and Human Services’ Office of Civil Rights with
proof of their efforts to comply with the Security and Privacy Rules.

A second quantifiable benefit of maintaining a reasonable and
appropriate security program is the ability to negotiate a smaller
quote for a standalone Network Security and Privacy Liability
Insurance policy. The internal risk reduction of a data breach
translates to dollar savings over the life of a policyholder’s
premium. In fact, some of our clients realized the benefit of an
automatic renewal without premium adjustment.

Last, but not least, a tremendous benefit of establishing these
programs in place – before a breach occurs – is the ability to
minimize the risk and severity of a breach altogether. A company is
only as strong as its weakest link and that weak link is all too often
a human being. A reasonable security program helps to raise awareness
about best practices and establishes and reinforces a baseline culture
of privacy. While these benefits are not ordinarily measured by
dollars, a record of only a few and minor data breaches fosters trust
and loyalty among customers and, therefore, could be described as

More information about the BreachExchange mailing list