How prepared is your organization to respond to a major data breach? Do you already have outside counsel? Are your people talking with law enforcement now? Do you know who will be the public face? What about forensics investigators, public relations, insurance, third-party call centers?
If you wait to do all of these things until you’ve suffered a breach, you’re going to find yourself behind the proverbial eight-ball. And don’t think you’re not vulnerable. Everyone is. According to the most recent data breach report by Verizon, there were more than 2,200 data breaches in 2017 and more than three-quarters of them were financially motivated.
Among the most effective ways to prepare for a data breach is to have a clear understanding of the processes involved in responding to an attack, according to Lisa. J. Sotto, who chairs the top-ranked Global Privacy and Security Practice at Hunton Andrews Kurth LLP and is managing partner of the global law firm’s New York office.
“Managing a data breach is a major undertaking that can quickly overwhelm an organization in the throes of an attack,” Sotto writes in the newly published book Navigating the Digital Age, Second Edition.
A major breach could consume virtually all of management’s time and energy for months. “Worse,” she adds, “it could expose the organization to enormous risk—financial, legal and reputational—if the appropriate steps are not taken from the beginning to help ensure a proper investigation, reporting, notification and communication.”
Event and Mobilization
The response effort must start immediately after the identification of an attack. The organization’s CISO and her team will generally take the lead, along with the company’s general counsel. Outside counsel is frequently brought in at this time in an effort to preserve the company’s legal posture, including protecting privilege.
If the breach appears significant, counsel likely will advise the organization to implement a legal hold, requiring that relevant records be preserved. There may be a requirement to disclose the event under securities law. This would also be the time to notify the relevant insurer and determine whether to retain outside forensics investigators. It also may be appropriate to contact law enforcement agencies.
This is a critical time for the company. “It is important that the group handling the incident be limited to need-to-know personnel,” Sotto advises. “Keeping the circle of breach responders small can help to prevent leaks and speculation.”
In the U.S. alone it may be necessary to analyze the laws of the 50 states, as well as other relevant jurisdictions, such as Washington, DC. In the European Union, the General Data Protection Regulation (GDPR) requires that companies notify government authorities of a personal data breach within 72 hours of becoming aware of such an incident.
Because of these aggressive timing requirements, organizations are in a position where they have to issue notification while the forensic investigation is taking place. This can be a challenge, because the path the investigation takes is often unpredictable and subject to major changes.
There are numerous stakeholders to consider during the notification stage: regulatory authorities, business partners, customers, service providers, media, employees and relevant government entities. Crafting a communications strategy can be challenging, Sotto says, and the organization may need to hire external public relations experts.
The notification generally should be sent directly to the affected individuals and timeliness is essential. To assist in this process, companies often retain external mail houses. In addition, third party-call centers are often used to assist with what Sotto calls “the inevitable barrage of calls following notification of a data breach.”
Once the event has been announced publicly, the company will be faced with myriad questions: Who was effected, how many files, how long did it last, when did you find out, etc., etc., You will also be asked about your overall security posture.
It can be overwhelming. “Business leaders should anticipate a multi-month, or even a multi-year, exchange of information and dialogue with regulators,” Sotto says.
Then you will have to deal with regulators, and potential fines or other impositions. And, of course, lawsuits. Sotto says actions may be brought by affected individuals, issuing banks, shareholders and other parties directly or indirectly impacted by a breach.
“Lawsuits resulting from data breaches can take years to resolve,” Sotto warns. “Between litigation and regulatory action, organizations will be dealing with the ramifications of a breach long after the actual event.”
Knowing the steps involved in responding to a breach, as outlined here, is a critical first step in ensuring that your organization is prepared. Sotto offers additional guidelines to ensure that your organization can respond quickly and appropriately. These are:
- Be prepared to identify intruders quickly. This requires a combination of people, processes and technology, along with a culture of cybersecurity.
- Build relationships in advance with cybersecurity experts. “The better-prepared companies know which forensic firm, counsel, PR firm, call center, credit monitoring service and mail house they will retain in the event of a breach,” Sotto says, adding that these providers may even be listed in the incident response plan.
- Purchase cybersecurity insurance. An insurer can play a big role in helping assemble a response team. “Cyber insurers often have significant experience managing breaches,” Sotto says. “Compromised companies can leverage the experience to help accelerate and coordinate the response.”
- Maintain a state-of-the-art incident response plan. This plan is a dynamic document that should be revisited frequently, Sotto advises. She also says it is important to establish a relationship with relevant law enforcement authorities before experiencing an attack.
- Practice: Many organizations conduct tabletop exercises to practice their incident response plans. “Tabletop exercises help build institutional muscle memory and will serve to streamline an entity’s breach response, mitigating harm associated with an actual event,” Sotto says.
In today’s precarious environment, business leaders and board members must be aware that the increased scrutiny that can come from a data breach could have a profound impact on the business’s operations, financial position and reputation.
How an organization responds to a breach is often a bigger test than the breach itself. By knowing what it takes to respond, business leaders can be better prepared to provide the leadership and guidance necessary to successfully steer the organization through a cyberattack.
Al Perlman, co-founder of New Reality Media, is an award-winning technology journalist. For the past dozen years he has focused on the intersection between business and technology, with an emphasis on digital transformation, cloud computing, cybersecurity and IT infrastructure.