How to Prepare for A Data Breach (Part 2)
In addition to the steps discussed last week, a business should take the following steps to prepare for a data breach:
Step 5: Arrange Possible Remedies for Customers
A recent study shows that 25% of individuals notified of a data breach go on to suffer identity theft. To combat this, most companies now offer – and consumers expect – some form of credit monitoring services for affected individuals.
Credit monitoring services are directed at fraud in connection with new financial accounts. This fraud occurs when a criminal uses a victim’s personal information to open a new credit card or other financial account. Credit monitoring does not prevent the opening of new accounts, but notifies an individual when a new account is opened, so that the individual can determine whether it is fraudulent.
Although credit monitoring service is nice, it is not that effective at actually preventing identity theft and is often a waste of money. See Brian Krebs “Are Credit Monitoring Services Worth It?” Notably, there are at least five types of identity theft fraud not covered by credit monitoring services:
Existing account fraud: Occurs when a criminal uses an individual’s current financial account, such as a credit card account or bank account, to make a purchase from a vendor or withdraw money from the individual’s bank account.
Social Security number and tax refund fraud: Occurs when a criminal uses an individual’s SSN to obtain employment, for tax reporting purposes, or for other illegal transactions. Tax refund fraud is a rapidly growing problem and the IRS is attempting to combat it.
Criminal identity theft: Occurs when an imposter provides another person’s name and personal information to a police officer during an arrest. The imposter often fraudulently obtained a driver’s license in the victim’s name and provides the identification document to law enforcement.
Medical Identity Theft: Occurs when a crook uses an individual’s name and/or other information, such as insurance information, to obtain or make false claims for medical goods or services. Medical identity theft may result in false entries being entered into a medical record, or the creation of fictitious records in the victim’s name.
To try and combat some of these other types of identity theft, many vendors now offer expanded identity theft monitoring services that provide additional monitoring services, such as monitoring commercial and public databases and online chat rooms. These services vary widely, so you’ll need to investigate carefully to determine what service is best for your customers in the event of a data breach. The Consumer Federation of America provides some helpful guidance about selecting an identity theft service provider and some assessments of the services offered. See Consumer Federation of America: Best Practices for Identity Theft Services: How Are Services Measuring Up? Things may have changed since 2012, so make sure to update the information and look for additional identity theft monitoring service providers.
By looking into remedies now, you will be able to evaluate and assess the complete range of available remedies, and select the one that makes the most sense for your customers and business in the event of a data breach. You may also be able negotiate the best price and gain service concessions. None of this could be done in the middle of a data breach crisis.
Step 6: Draft Incidence Response Plan
You can now be begin drafting your Incident Response plan (the “Plan”). As a word of warning, this document can get very long and detailed, depending on the size and complexity of your organization. There are a lot of available on-line guides that can give provide guidance, such as the guides at the SANS Information Security Resources, However, to ensure the Plan is done properly, you may want to consult with a privacy and data security attorney or some other third-party vendor.
The basic elements to include in the Plan are:
• Overview: The Plan should have an overview section that outlines the goals, scope, purpose and assumptions of the Plan.
• Roles and Responsibilities of Incident Response Team members: The Plan should identify each incident response team (the “Team”) member, their contact information, and his/her role or responsibility. It is better to have this information in writing so each Team member knows exactly what he/she is responsible for when a data breach occurs. This information should be continuously updated, especially if one member leaves the organization.
• Incident Definition and Classification: The Plan should create an event classification system that defines what constitutes an incident, when an incident is serious, and the specific types of incidents that will set the plan in motion. For example, port scans are not usually particularly serious, and it is doubtful that these events will set the Plan in motion. But a web security breach or a malware infection should warrant a more urgent response and the Team may need to be notified and the Plan set in motion.
• Notification: The Plan should identify the specific triggers to notify and procedures to follow when notifying the following: the Team, insurers, law enforcement, outside attorneys, third-parties and customers. Depending on the type and severity of the event, these groups will be notified at different times, and there will be specific procedures that need to be followed. Include all statutory and contract breach notification requirements in the Plan. Also include all insurance notification requirements. If you choose to use a third-party vendor to notify customers, include all relevant contact information and details of any negotiated deal in the Plan.
• Current Network Infrastructure & Payment Processing Systems: The Plan should also identify, diagram, and include all supporting documentation regarding your organization’s web system architectures, network infrastructure, information flows, payment processing systems, and any other applicable system that contains or processes sensitive personal information.
• Existing Security Safeguards: The Plan should identify all currently operating safeguards that can assist with detection and prevention, including an intrusion-prevention system (IPS), firewall, web-application firewall (WAF), and endpoint security controls for the web, applications, and database servers.
• Detection, Investigation and Containment: The Plan should outline the procedures for detecting, investigating and containing the incident. Keep in mind that these procedures should vary by the type of incident, the system involved, and may involve contacting third-parties such as law enforcement and forensic investigators. Identify the circumstances when these third-parties will be brought in and include all potentially relevant information in the Plan.
• Customer Remedies: If your organization chooses to offer remedies to customers, such as identity protection service, then your Plan should identify the specific circumstances when the remedies will be offered. It should include the contact information of the third-party service provider and the terms of any deal that was negotiated.
• Eradication, Cleanup and Recovery: The Plan should also contain the procedures to follow to get the infected system back up and running. The cleanup will vary depending on the type of system and the type of attack, but you want policies and procedures in place about how to handle it. In order to preserve other parts of your IT system, you also want to have procedures about the steps to take before putting the infected system back into production.
• Post-Incident Review and Follow-up: Your Plan needs to include the date for a mandatory follow-up meeting with the Team in order to learn from the incident. The purpose is to process all of the information that was learned from the incident and figure out if your security posture needs modification to prevent future attacks. There are likely several questions that will need to be addressed, but try to avoid spending the meeting finding someone to blame. It will be a waste of time and energy and will not improve the security of your organization.
Step 7: Employee Awareness and Readiness Training
As part of your organization’s privacy program, your employees are probably already trained on privacy fundamentals like data collection, retention, use and disclosure. Your organization should also train every employee about basic breach response procedures and protocols, like what constitutes a data breach and whom to call if a data breach is suspected. You should also require third-party vendors to do the same. Team members should receive regular in-depth training about how to investigate a data breach, report findings, and communicate with media and regulatory authorities. Any completion of required training should be documented and reported to management for internal policy compliance.
Step 8: Crisis Simulation & Revision
It is important to know how your organization will fare during a breach crisis and identify and correct any gaps. The best way to assess your organization is by running two types of breach crisis simulations: a table-top exercise and a “live” simulation.
A tabletop exercise is a simple way to practice executing your Plan without the expense or interruption of a full scale drill. In a tabletop exercise, Team members talk through a breach crisis scenario in a “war room” type of setting. These exercises should involve everyone on the Team so that every member has an opportunity to think through their role during a breach event.
“Live” simulations are more elaborate and tend to mimic real-world conditions more closely than tabletop exercises. “Live” simulations are usually impromptu events that can occur at any time, including the evening or a holiday, like a real breach. The most effective simulations involve breach response vendors that your organization has contracted with, as well as your internal Team. In a “live” simulation, systems are actually compromised and even social media uproars can be created. Talk with your service providers to develop simulation exercise that includes everyone.
After conducting simulations, evaluate the effectiveness of your Plan to identify any gaps in your organization’s response. Revise your Plan to fill these gaps and ensure that your organization improves.
If you follow all eight of these steps, your organization will be better prepared for the inevitable data breach. Thanks for reading. Please let me know if you have any questions or wish to offer suggestions based on your experience.