Data Breaches: Are You Ready (for the inevitable)?
May 4, 2016
By: Elaine A. Stanko
“There are two types of companies: those that have been hacked, and those that don’t know they’ve been hacked.” ~ John Chambers, former CEO of Cisco
In 2015, identity theft occurred every two seconds, disrupting the lives of 13.1 million people, according to Javelin Strategy and Research. Year after year, U.S. data breaches have hit record highs, reports the Identity Theft Resource Center.
Responsibility for cyber security has risen to the “C” level, where executive officers and boards are now accountable for appropriate oversight and safeguarding of the personally identifiable information (PII) collected. Every company needs to be focused on preventing, detecting, and responding properly to a data breach. Your company needs to have a security plan and a response plan in place before a data breach occurs. Historically, companies have been concerned primarily with damage to their reputation resulting from a data breach incident. But the damage is worsened if it turns out the breach could have been prevented!
PII includes your name, address, birth date, account numbers, email addresses, passwords, and Social Security Number. It is virtually impossible to be in business today and not collect or store PII.
Preventing data breaches. Be Proactive.
Step one is using best practices to prevent data breaches and their resulting damage to your business’s finances, reputation, customer relationships, and image.
Breaches can occur in countless creative ways but, in general, fall under three main categories:
- Theft or loss of physical equipment, such as laptops, smart phones, tablets and other mobile and storage devices.
- Illegal entry to deliberately access PII through hacking, viruses or other methods.
- Inadequate oversight caused by lax system security.
The common denominator in most breaches is a current or former employee or vendor. The data breach might be the intentional act of a disgruntled person, or an employee tricked into opening a message that appears to be genuine but is actually meant to break into your computer system by malicious scams such as “phishing”, fake credentials, phony applications, and other clever social engineering tricks.
The most important proactive step a company can take to prevent a data breach is to have a comprehensive written information security plan (WISP) in place that identifies what PII the company collects, how and where it is stored, and who has authorized access to it. The plan should be implemented on an enterprise-wide basis (throughout the company, not just in the IT department), and it should be tested periodically to identify and manage any security risks and to ensure that all employees and vendors are complying with the plan.
The key elements of an Incident Response Plan.
Step two is the creation of an Incident Response Plan, the go-to game plan with detailed action steps in case a data breach happens. Your response plan should be documented in writing and regularly updated and tested.
Your Incident Response Plan should address key questions:
- Who’s on the team? Many people should be at the table, including in-house personnel and outside vendors (including some you may wish to have on retainer in case a data breach occurs). Legal counsel should provide guidance about legal requirements, including applicable notice requirements in your business’s home state and in the states and countries where your customers or clients reside. Public relations personnel, skilled in crisis management, should have draft notification letters (ready in advance of a breach) – that are honest but calm – explaining the breach and the remediation steps you are taking. IT experts must be engaged in advance, standing ready to investigate the cause of the breach and take immediate steps to contain the damage.
- Who’s in charge? One person must serve as project manager or team leader – the primary decision maker. The team reports to this person, who in turn reports to executives (and the board). The leader must be capable of sharing technical and legal information clearly, consistently, and without jargon.
- Who needs to be notified? Legal counsel will help you determine if notification is required and who needs to be notified. This will depend on whether you can determine what PII was accessed, whether it was strongly encrypted, and what was done with the PII that was exposed.
- Should law enforcement be contacted? This is a delicate issue, since the information involved is often proprietary. Legal advice is needed to determine whether law enforcement must be contacted. Businesses should build relationships with law enforcement agencies in advance, so you are not calling the FBI, Secret Service, FTC, state attorneys’ general, or Homeland Security out of the blue. Law enforcement agencies can sometimes advise businesses on data security practices and even assist them with table-top exercises to look for problems and help plan a response to a data breach.
- What recourse will be offered to victims? After breaches, most companies offer customers some form of remediation, often free credit monitoring. These steps will be determined once your response team determines what PII was accessed, what harm has been caused by the breach, and whether the data was just viewed or duplicated.
- What’s the budget? Incident Response Plans often rely heavily on outside professionals and vendors to perform the legal analysis, technical and forensic investigations, external and internal communications, credit monitoring, and other steps the plan provides for – all of which is expensive. Increasingly, businesses are purchasing cyber insurance to cover the costs of data breaches.
Don’t wait for an emergency! Plan for the inevitable.
After a data breach occurs is not the time to be writing a plan and drafting letters.
The Incident Response Plan is essential to being ‘crisis-ready’. Bringing on an experienced firm that can help you plan for and implement practical solutions to privacy threats and breaches and advise your business on protecting data is critical. Solutions vary by industry, due to state and federal laws and regulations, but with diligent guidance, businesses can do their utmost to protect their reputations and their customers from data breaches.
Elaine A. Stanko is a member of McNees Wallace & Nurick LLC’s Privacy and Data Security, Corporate & Tax and Financial Services practice groups.