Traversing the Breach: Why You Need to Prepare for Data Breaches and How to Do It

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/traversing-the-breach-why-you-need-to-p-82939/

For several years, the common business refrain has been that “every company
is a tech company,” as brick-and-mortar businesses turn to technology to
distinguish themselves and enhance efficiency, intelligence, and customer
experience. The corollary, of course, is that every company now also is a
data company. In a world where transactions are conducted digitally and
corporate strategy is driven by sophisticated analytics, data is fast
becoming a company’s greatest asset. Almost everything a company cares
about is increasingly stored in digital banks.

Unfortunately, as the recent string of high-profile security
breaches—Target, Sony, Anthem—has made clear, the increasing value of data
has been met with rising risk. As James Comey, director of the FBI,
observed in a recent interview, “Cybercrime is becoming everything in
crime. . . . Because people have connected their entire lives to the
Internet, that’s where those who want to steal money or hurt kids or
defraud go.” (See
http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/.)
Moreover, data security has become as much a legal issue as a technological
one, as companies face a bewildering array of federal, state, and
international laws and regulations governing cybersecurity, privacy, and
breaches. In this quickly evolving climate, it is imperative that companies
closely examine their breach preparedness from both a security and legal
standpoint. The hours after a breach may well determine how a company fares.

Companies Face an Increasing Risk of Data Breach
The proliferation of security breaches poses an enormous threat to
customers, and to the reputation and bottom line of compromised companies.
In 2014, Ponemon found that 43 percent of U.S. companies had experienced a
data breach within the last year, up from 33 percent in 2013. Moreover,
even before the most recent breaches, it found data breaches were costing
U.S. companies an average of $5.9 million, or an average of $201 for each
compromised record. A brief review of some of the most prominent recent
data breaches illuminates the breadth of industries affected by breaches,
as well as the scope of potential damage.

● On February 3, Anthem, the nation’s second-largest health insurer,
announced a data breach that had exposed the personal information,
including Social Security numbers, of 80 million customers and employees.
Anthem’s breach is the latest and largest in a series of data security
issues affecting the health industry. In August 2014, Community Health
Systems announced a data breach that had exposed 4.5 million patient
records. Experian forecasts that data breaches may cost the healthcare
industry as much as $5.6 billion annually.

● In perhaps the most notorious recent data breach, in November 2014,
hackers obtained and released terabytes of internal data at Sony Pictures
Entertainment, including embarrassing corporate documents and Social
Security data for 47,000 Sony employees. In addition, all data on many Sony
servers reportedly was destroyed. The breach is estimated to have caused
Sony $70-$80 million in direct costs, as well as potentially more than $100
million in indirect costs from related loss of business. On February 4,
Sony Pictures’ co-chairman resigned, largely due to fallout from the breach.

● In September 2014, Home Depot revealed that a data breach had exposed 56
million customer debit and credit card accounts, then announced shortly
afterward that 54 million customer e-mail addresses also had been
compromised. In its SEC filing for the third quarter of 2014, Home Depot
disclosed that it had recorded $43 million in expenses arising from the
breach.

● In August 2014, JPMorgan Chase disclosed that hackers had been siphoning
data from its computer network for months, exposing contact information for
76 million households and 7 million small businesses. Subsequently, the
bank announced that it would spend $250 million annually to implement new
security initiatives and protect itself from future cyberattacks.

● In one of the largest breaches in recent memory, in December 2013, Target
disclosed that hackers had stolen names, credit card data, e-mail addresses
and phone numbers for up to 110 million users. Following the announcement,
Target’s profits plunged by 40 percent. In February, it was reported that
losses associated with the breach had reached approximately $200 million.

As the diversity of businesses affected—including healthcare,
entertainment, financial and retail companies—demonstrates, data security
is a critical issue not only for Internet businesses, but for all companies
in all industries. As new mobile payment technologies emerge and companies
continue to migrate data to BYOD programs and cloud-based systems, the risk
of data breach is expected to continue to increase in 2015, heightening the
need for companies to closely examine their own networks and data for
security issues.

Companies Are Subject to Increasing Legal Risks and Obligations Relating to
Data Security Existing Legal Landscape. Companies that have experienced
data breaches not only have suffered from losses in good will, customer
attrition and technological costs, but also legal liability. The current
legal landscape governing data privacy comprises a sprawling patchwork of
state, federal and international laws, and class action lawyers, as well as
state, federal and global regulators are becoming increasingly vigilant and
aggressive. Following a data breach, a company can find itself under legal
fire from multiple angles.

At the federal level, the Federal Trade Commission, the Securities Exchange
Commission, and other regulators have been very forward-leaning. As part of
its consumer protection duties, the FTC has actively investigated
companies’ data privacy and collection policies, levying monetary penalties
and requiring companies to implement improved security policies subject to
independent monitoring. It also has brought actions under the Fair Credit
Reporting Act and the Gramm-Leach Bliley Act following breaches exposing
consumers’ credit histories and financial data. The SEC’s Division of
Corporation Finance has issued guidance regarding public reporting
requirements for cybersecurity incidents, and Commissioner Luis Aguilar has
confirmed that the SEC will hold boards of directors accountable for their
companies’ cybersecurity risk management policies. Meanwhile, the Financial
Industry Regulatory Authority and the SEC’s Office of Compliance
Inspections and Examinations have begun examining the cybersecurity
preparedness of regulated entities, with both bodies releasing reports of
their findings and suggested best practices at the beginning of February.

At the state level, state attorneys general have taken an increasingly
active role in investigating data breaches and enforcing privacy
protections, with multi-state investigations currently underway regarding
the breaches at Target, Home Depot and JPMorgan Chase. In these cases,
states are investigating not only whether proper safeguards of consumer
data were in place, but also whether after discovering their breaches, the
companies properly notified affected customers. As 47 states have enacted
some form of security breach notification statute over the last decade,
each with varying timing and threshold requirements, compliance with
notification statutes has presented serious issues for companies with
widespread consumer bases. These issues are compounded for international
companies, as notification statutes in other countries—including in the
European Union—impose even more stringent disclosure requirements than
those in the United States.

Finally, every prominent data breach has prompted a flood of consumer class
action lawsuits, usually including a combination of negligence, contract,
state consumer protection and federal privacy claims. Multiple lawsuits
were filed against Anthem and Sony within hours of breach disclosures, and
Home Depot disclosed that it has been named in at least 44 consumer
lawsuits. Historically, companies have had success defeating consumer
claims by challenging standing, arguing that without concrete allegations
of actual identity theft, plaintiffs could not demonstrate classwide harm
from the mere exposure of their data. Recently, however, courts have shown
an increasing willingness to allow such claims to proceed. In September
2014, the Northern District of California permitted a data-breach class
action to proceed against Adobe, holding that a “credible threat of real
and immediate harm” in the future was sufficient to confer Article III
standing on the class. In re Adobe Sys., Inc. Privacy Litig., No.
13-cv-051126, 2014 WL 4379916, at *6-*9 (N.D. Cal. Sept. 4, 2014).

New Legislative Developments. As data security continues to dominate the
national conversation, federal and state lawmakers are rushing to update
the existing body of privacy laws. The White House has made data privacy a
major priority this term, proposing legislation that would reconcile
inconsistent state notification statutes by creating a uniform federal
standard for data breach notification. At the same time, California, New
York and other states are continuing to amend and broaden their own
notification statutes to cover additional entities and forms of data. In
the financial sector, state regulators also issuing their own guidelines,
and New York’s Department of Financial Services recently announced that it
would start conducting its own preparedness assessments of banks and
insurers. As new laws are proposed and go into effect, it is critical for a
company to understand the legal obligations that may apply in each area it
does business.

Companies Must Take Proactive Steps to Mitigate Exposure and Ensure Legal
Compliance. It goes without saying that companies should take steps to
safeguard customer privacy and to minimize the potential for a data breach.
However, given the continued rise in frequency and sophistication of
cybercrime, as well as the growing attention to notification requirements,
companies must make it an equal priority to prepare themselves to respond
when breaches inevitably occur. It is not only the smart thing to do, it is
becoming the standard of care.

Given the complicated technical and legal issues involved, data breach
preparedness can be a source of anxiety to companies. In Ponemon’s 2014
survey, 73 percent of companies reported that they had data breach response
plans and teams in place, but only 30 percent believed that their plans
were effective. Below are a few high-level guidelines that a company should
follow when assessing its readiness for a breach.

Conduct a Readiness Audit. At a minimum, a company should assess its legal
compliance and infrastructural ability to respond to an attempted breach by
conducting a readiness audit. As part of this audit, a company should:

Map data and backups. Because the nature of data drives both the level of
security and the legal obligations that flow after a breach, a company
needs to know what data it has and where it is located. Put simply: the
more important data is, the better the security should be. Moreover, in the
case of a breach, knowing what was taken and where it was collected/located
will determine a number of legal obligations. Finally, a company must have
a realistic way to restore lost data or take parts of its system offline
without causing more problems. Backups need to be done in a way that makes
this possible.

Perform a network security assessment. Once a system map is in place,
regular “penetration testing” must be conducted to identify potential
system vulnerabilities. This includes subjecting company employees to
phishing tests so that passwords are not inappropriately disclosed.
Education is a must, and all employees should be aware of how to observe
security precautions and avoid allowing unauthorized access.

Review insurance policies and contracts. With the rash of security
breaches, insurance policies are now available to cover costs associated
with data breaches, including notification, public relations, and resulting
legal and liability expenses. Some policies even cover the costs of
assessing the company’s preparedness for a data breach.

Monitor the legal landscape. In view of the ever-changing legal landscape,
a company should engage legal counsel to identify and assess compliance
with the universe of applicable state, federal and international
regulations. Because even simple business decisions (e.g., requesting a
physical address or changing the way data records are stored) can trigger
new obligations in different territories, counsel must be consulted on an
continual basis so that companies are accurately informed about their
ongoing risks and obligations.

Maintain law enforcement contacts. In the event of a significant breach,
law enforcement involvement will be necessary to identify and bring to
justice the intruders. A company should establish contact with the state
and federal law enforcement individuals that have jurisdiction in its
industry or geographical area. In the event of a breach, legal counsel
should manage any communications with law enforcement.

Prepare a Cyber Incident Response Plan. In addition to conducting a
readiness audit, a company must have a comprehensive cyber incident
response plan to minimize potential losses, keep customers informed on a
timely basis, and avoid further legal liability in the event of a breach.
Any response plan must assume that all internal systems are compromised. In
developing this plan, a company should:

Prepare a legal response and notification strategy. A company must have a
legal response and notification plan that complies with all applicable
notification provisions. Legal counsel should be heavily involved both in
drafting the plan and advising during its implementation as to when and
where different notification duties may be triggered.

Prepare a communication strategy. A company should have not only an
external communication strategy for satisfying notification requirements
and customer expectations and needs, but also an internal communication
strategy. All parties must be mindful of the risk that non-privileged
communications may be subject to discovery in the event of a lawsuit or
investigation. Employees or call center representatives should have clear
guidance for all communications concerning a breach.

Prepare a forensic and technical response strategy. A company should
identify all data that must be preserved and collected in the event of a
breach. This data will not only be used for troubleshooting, monitoring,
and recovery, but also as a record that will be used by regulators, lawyers
and law enforcement after a breach. Forensic experts should be engaged to
collect and examine the data as internal IT teams focus on restoring
systems. To maximize work product and privilege protection, lawyers should
hire and direct the forensic experts.

Designate response officials. A company should identify key employees who
are knowledgeable of each critical area and who will be responsible for
executing the response plan. At a minimum, legal counsel, company
executives, communications, IT, and HR representatives (if employee actions
or information are at issue) should be included.

Distribute call lists and written response plans. Once a detailed response
plan has been prepared, it should be memorialized and distributed outside
of the company’s computer systems to all relevant individuals. This should
include a laminated call list of all designated response officials so that
the plan can be put into effect immediately.

A cyber incident response plan necessarily is a sensitive undertaking, as a
company must investigate and repair any breaches while simultaneously
keeping customers informed, preserving evidence and cooperating with
authorities who may be evaluating the company’s security policies and
response procedures in real time. It is critical to engage legal counsel
not only when preparing the plan but also while executing it, to identify
and navigate all potential legal ramifications and to protect
attorney-client and work-product privileges.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!