How to Prepare for a Data Breach (Part I)
In the last blog post, I discussed ways that a business can try to prevent a data breach. The sad and unfortunate reality, however, is that no matter what you do, most privacy and security experts agree that your business is going to suffer a data breach. See J.F Rice, “Are Breaches Inevitable?” Computerworld, Sept. 3, 2014. The Ponemon Institute, a leading research center, puts the probability of suffering a material data breach of more than 10,000 records in the next two years at 19%. See Ponemon Institute, 2014 Cost of Data Breach at 1-3.
So what should a business do? Start planning NOW for a data breach by creating an Incident Response Plan that your organization will follow in the event of a data breach. Doing so can reduce the cost of a data breach by, on average, $18 per record. Id. There are eight steps involved in preparing for a data breach and creating and implementing an adequate Incident Response Plan. The first four steps on how to prepare for a data breach will be discussed today, and the next four steps will be discussed next week.
Step 1: Assemble an Internal Incidence Response Team
Data breaches are multi-faceted events that require coordinated strategies and responses across the organization. To deal with one, you need an incidence response team with representatives from all of your company’s functional groups. At the very least, your incidence response team should include representatives from the following groups who are available 24/7 in the event of an after-hours emergency:
Executive Management: Ideally, your team should have a management level executive with broad decision-making authority to insure that the breach management process moves quickly. A quick response time and effective implementation are critical factors when trying to minimize the financial and reputational harm that can occur from a data breach.
If an upper management executive can’t be spared, some companies appoint a lead on the incident response team with delegated authority to take certain actions and make certain decisions. This approach is a great alternative, but it will be inefficient when an action exceeds the lead’s delegated authority and requires approval from the executive management team. But this inefficiency will have to be tolerated in the absence of an upper level executive.
IT and Security: IT and security team member play a critical role by identifying the problem with your computer system as they are the most familiar with the network systems and security controls in your organization. Usually, however, the internal IT and security team does not conduct the forensic investigation that is needed to track down the breach and how it occurred. Instead, you will need an outside forensic group that possesses specialized skills and training to perform digital forensic identification and mitigation of the breach. Your internal team will be the liaison with this outside forensic group and work with them to explain your network and its security controls. Don’t try to cut down costs by avoiding the outside forensic group. Although your internal IT staff might be outstanding, it will cost you more time and money over the long run by having them try to identify the breach. Remember that time is critical and you want to identify the problem and fix it as soon as possible. Better to use reputable forensic specialists for this task.
Legal and Compliance: You need someone from legal and/or compliance to identify the notification, legal and regulatory requirements of the breach response. This includes determining if there is an obligation by law or contact to notify internal organization clients or business partners of the breach and what the content of the notice should be. Breach notification requirements vary by state and contract, so you will need someone from legal and/or compliance to make sure you fulfill your legal obligations with respect to the data breach. This will be discussed more fully below at Step 4. If your organization does not have a legal department, hire an outside attorney who specializes in privacy and data security to help you understand your notification obligations in the event of a data breach.
Public Relations/Communications: You should also have someone who is responsible for disseminating information about the breach to your internal organization and coordinating the response to external public. With respect to the internal organization, your internal communications team will make sure that all your employees have talking points about the breach if they are approached. For external communications to the public, you should hire a PR firm that specializes in crisis communication, and have this PR firm take directions and work closely with your internal communications team to coordinate the response. Don’t skimp by trying to have your internal communications team handle the media and public communications. Your reputation and business could be irreparably harmed if public communications are done poorly or improperly.
Customer Service: After a data breach, customers have lots of questions, especially ones who are worried about identify theft and fraud. Your organization’s customer service department plays an important role in rebuilding your customers’ trust and ensuring that they understand what happened and how your organization is responding. If your organization cannot handle the anticipated call volume, many organizations engage a call center and set up a dedicated hot-line that consumers can call to get information about the breach. Websites have also proven to be useful, so that is another option to be considered. No matter what method used, you will need your customer service department to help you understand the best way to regain your customers trust.
For small organizations, it may not be possible to have different people serve these different functions, since there may not be a separate communications or a legal department. That doesn’t matter. The important point to recognize is that these roles are needed if a data breach occurs, and the business needs to identify who is going to fill them – even if it’s the same person!
Step 2: Establish Relationships with Breach Response Vendors and Law Enforcement
The second step is to establish relationships with breach response vendors, regulators and law enforcement before having a data breach.
With respect to regulators and law enforcement, reach out to the relevant Attorney Generals, Secret Service, FBI, and any other relevant regulator to introduce your business and discuss data privacy issues as soon as possible. It shows that your organization is serious about data protection and privacy and might earn your regulators’ trust and respect. You don’t want your first introduction to be when you report a data breach! A prior personal relationship may aid you when it comes time to report a data breach, and the regulators may be more inclined to offer advice, listen to your side of the story, and give you the benefit of the doubt about the steps you have taken.
With respect to vendors, several types of third-party vendors perform critical functions and are needed during a data breach. The most relevant to investigate provide the following services: Computer forensics, public relations, notification activities, consumer remedies (credit monitoring and identity theft), call centers, and legal services.
By contacting vendors before a breach occurs, you can explore the different options available and determine the best option for your organization. It is much more difficult to assess options while in the middle of a crisis, and you are more likely to purchase services that you don’t need. Also, if you are reaching out to a vendor for the first time in the middle of crisis, you are much more likely to be charged a higher rate for emergency services. By preparing in advance, you can negotiate on price and services and get the best available deal.
Step 3: Cyber-Liability Insurance
As part of your incident response plan, consider whether your organization needs cyber-liability insurance. Effective May 1, 2014, the Insurance Services Office (ISO) revised its Commercial General Liability (CGL) Policy form to exclude losses associated with a data breach. See Insurance Journal, ISO Comments on CGL Endorsements for Data Breach Liability Exclusions, July 18, 2014. Since the vast majority of U.S. CGL polices are partially or completely written on ISO’s standard form, your organization’s future CGL policies will likely exclude data breaches, if they don’t already.
To correct this insurance gap, consider purchasing cyber-liability insurance, which provides coverage two categories: first-party or third-party losses. First-party losses are the expenses incurred as a direct result of responding to the breach, such as computer forensics, public relations, notification costs, and others. Third-party losses are the losses incurred from claims for damage brought by customers, consumers, and others. Depending on your organization’s needs, it may be wise to purchase insurance for one or both types of losses. Given the exorbitant costs of a data breach, it may be well worth it.
Step 4: Determine Breach Notification Requirements
Organizations should be familiar with the data breach notification requirements that govern their company in the event of a data breach. These requirements come from two sources: contracts with third parties and the states where you conduct business and/or have customers.
Nearly all of the states (47 states plus the District of Columbia, Puerto Rico, and the Virgin Islands) have passed some form of a data breach notification law. These laws contain the following general categories of information:
• The definition of “personal information” identifying specific data elements that trigger reporting requirements;
• The definition of what entities are covered;
• The definition of a “security breach” or “breach” of a security of a system”
• The level of harm requiring notification;
• Whom to notify;
• When to notify;
• What to include in the notification letter;
• How to notify
• Exceptions that may exist to the obligation to notify (or when notification may be delayed);
• Penalties and rights of action.
Although all breach notification laws contain the same general categories of information, the details often differ drastically and you need to know what specific states apply to your organization and what is required by the state’s breach notification law. For example, Massachusetts differs substantially from many other states about who needs to be notified and the content of the data breach notification letter. See M.G.L. c. 93H. Consult with an attorney and/or a data breach notification vendor to help you assess your current situation and determine what breach notification statutes are applicable.
After determining the requirements from the relevant breach notification statutes and contracts, create a chart or spreadsheet that identifies the critical details for each state, when these requirements are triggered, and the steps that need to be taken in the event of a data breach. This chart will become part of your incident response plan, so update it regularly so that it remains current. All of this may become moot if a national breach notification statute is ever passed, but I’m not going to hold my breath.
This completes the first four steps about how to prepare for a data breach and develop an incidence response plan. Thanks for reading. Check back next week for Part II.