Dealing with a Data Breach: Tips from the Trenches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.esecurityplanet.com/network-security/dealing-with-a-data-breach-tips-from-the-trenches.html

Companies and government agencies use a variety of technologies to protect
their networks from unwanted intrusions. The attacks themselves are
continuing to escalate in number and complexity, so it’s important to know
how to respond when an incident occurs.

"The biggest issue is to make sure that everyone on your team is talking
the same language," Ricardo Lafosse, chief information security officer for
Cook County Government told the audience at the recent SC Congress event in
Chicago.

Part of that for Cook County Government is knowing the level of the attack.
It uses a response for an "incident," an escalated response for multiple
incidents, which Lafosse calls an event, and a still higher response for an
actual breach.


Jacob Springer, division counsel, global privacy office for Abbott
Laboratories, suggested developing a baseline of security defenses by
looking at peers in the same industry. He also recommended following a
detailed script for any type of security issue. Without a detailed, planned
response there is likely to be a communication breakdown.

Documentation and Communication

"People think they communicate well, but they don’t," Springer said. "You
need to put a plan together that is very detailed, with what people do at
what time. The more specific you are, the less time you lose in responding.
If you don’t define people’s responsibilities, it will take a long time to
respond one way or another. Everything that you can do to reduce downtime
is money in the bank."

Springer also recommended that companies document their defenses and any
responses to incidents, including preferred forensic data security and
other security vendors to contact when warranted. Email documentation isn’t
enough, he cautioned. The company needs to have confidential documentation,
including an outside counsel’s approved summary of the company’s response
to any breach.

William Cook, partner with McGuireWoods LLP, said security response
information needs to be communicated not only to the security team, but
also to legal and to executives, so that everyone understands when an
attack or breach legally requires notifications to customers and others
outside of the company. Failing to make those notifications as required can
cost a company in fines and in reputation.

Cook also stressed the importance of the legal department explaining to
executives the notifications required by different legal entities. There
are 47 different state laws requiring notification, as well as FTC rules to
understand, he said.

He recommended working with inside and outside counsel in the event of a
breach to ensure that the company follows proper protocols. However, he
advised keeping as much detail as possible in-house so that it doesn’t lead
to future litigation. Inside counsel should discuss any breach with all
parties within the company so that anything said comes under
attorney-client privilege and "unwise" comments don’t go out to the public.

For example, Cook related a discussion with a company’s new chief
information security officer who said the firm’s security "was like a
screen door on a submarine." Cook said he asked the officer to repeat the
statement to make sure he heard it correctly, then told the officer never
to repeat it.

"You can look good or bad," Cook explained. "You don’t want to send out the
wrong kind of information."

Incident Response and Notification

He also advised communicating security protocols to the public relations
staff so it can prepare proper messaging regarding the company’s efforts in
the event of an actual breach. The public relations staff should be put on
notice immediately upon the discovery of a breach, he added.

 "You need to have your security guidelines in place. You need to have an
incident response team in place," Cook said. "There will be a lot of press
when there is a security event."

If the proper notifications aren’t released in a timely manner, the press,
legal authorities and perhaps the Federal Trade Commission (depending on
the nature of the breach) will all be hard on a company, Cook warned.

Timely notification is more important than the technology employed to fight
threats, Cook added. "Some companies are worrying too much about new bad
stuff. As they’ve shown in the Target case, judges don’t ask about having
state-of-the-art security. They care more about your record and how you
respond along the way."

With attacks evolving continuously, state-of-the art defenses aren’t always
possible, Lafosse agreed. "You have only a finite number of resources.
There are always new tools."

More important than having the newest tools is taking reasonable, proactive
steps to monitor the network for evidence of attacks and attempting to
respond before an intrusion becomes successful, Lafosse and Cook agreed.

"Judges are upset when they see that legal and HR are not responding to red
flags that are going off in their own arsenal of security systems," Cook
said. "You need to show that you are organized and that you approach
security in a logical way."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!