Every Company Is a Potential “Target” of a Breach: What Is a Company to Do? By: Theodore P

CLIENT ADVISORY

edwardswildman.com January 2014 An Edwards Wildman Privacy & Data Protection Client Advisory Every Company is a Potential “Target” of a Breach: What is a Company to do? By: Theodore P. Augustinos and Mark E. Schreiber

Recent events involving widely-pub- up 30% from the prior record in Domain Generation Algorithms, licized data breaches, at respected 2012, according to the Boston and so-called “Magic Packets” retailers with significant resources Business Journal. may be beyond many execu- to address information privacy and tives’ common vocabulary, the Current events may be a good security challenges, are a wake-up IT departments of most com- reminder to re-arm against call for any business. If such promi- panies will grasp these terms. potential threats: re-visit tech- nent organizations are under attack As threats develop, so do nical and administrative safe- and have difficulty protecting the defenses, and the next genera- guards, and re-educate, re-train security of their customer’s information of anti-malware techniques and re-sensitize personnel. tion, what can any businesses do? and software is now becoming Here are four suggestions. A new “Cyber Streetwise” cyber available. Companies should security website was launched continually explore available 1. Re-Arm against Threats last week by the UK government improvements and upgrades to to assist business in protecting security systems to implement First, we must keep in mind that against data breaches, and and maintain the appropriate the complete story of these recent free materials are available at level of defenses against an events has not yet been written. the FTC. Both sites are worth attack. Many forensic consul- Highly sophisticated attacks reviewing. The UK site includes tants offer frequent, excellent have, in prior events, overcome basic advice to businesses and and free webinars on data secu- some of the state-of-the art safe- individuals, including tips on IT rity issues to help monitor recent guards, and the countermea- security password management, developments, techniques and sures, forensic expert tell us, are wireless networking, online resources for defending against not yet entirely up to the task. banking and website security. cyber-attacks and other data Nevertheless, recent research on security risks. data security incidents teaches Companies should certainly us that most breaches involve take this opportunity to review 2. Address Vendor Relationships some basic failure or simple the well known and publicized Another message of the recent mistake. According to one data security basics: maintain events may be that vendor industry study, 97% of reported and check firewalls; enable log- management should be on the malicious data breaches were ging on all servers; back up log front lines of every company’s avoidable. In addition to the big files; encrypt portable devices, defense against data breaches. breaches in the news, the Mas- other media and backups; con- Industry studies identify ven- sachusetts Office of Consumer trol the ability to download and dors as a source of perhaps a Affairs and Business Regula- export data; and segregate third or more of data breaches tions reported a record number and compartmentalize sensitive and thus a vulnerability for of reported breaches in 2013, databases. While DNS queries, 2 |Every Company is a Potential “Target” of a Breach: What is a Company to do?

many companies. Vendor rela- needs, uses of information, and 4. Anticipate an Incident tionships, including those with the relevant threat environment. data and payment processors; As we know with breach incidents, it’s not a matter of if, but records management and stor- 3. Review Response Plan age facilities; legal, accounting when. Realistic simulations and and other professional services This is also a good time for drills incorporating unexpected firms; and other relationships, companies to review incident data and factual scenarios, as must be carefully scrutinized for response protocols, make sure noted, are a useful way to assess their compliance profile, capa- the response team is in place, your company’s readiness, even bilities and culture in order to and consider testing the breach if you have been fortunate to maintain adequate defenses or crisis management workings avoid a recent, actual incident. against a potential attack in a “tabletop” or mock breach Make sure your standby response through those avenues. Compa- scenario. It is usually helpful for team is on red alert, with ade- nies should view third parties IT personnel to work with foren- quate resources, decision mak- that touch their personal data sics teams in advance to estab- ing, capability and preparedness as potential sources of vulner- lish procedures for responding to respond to an incident as ability for a breach. Due dili- to particular threats, in order to promptly and accurately as possi- gence on vendor engagements improve the possibility of imme- ble. Review available resources, is critical, and vendor contacts diate identification, prompt many of which are free, to stay must incorporate appropriate remediation, and investigation current on legal and regulatory contractual protections, rep- of the effect and scope of the compliance in all applicable resentations, warrantees and incident. Legal, public relations jurisdictions, including a global indemnifications, as well as and other internal and external data breach guide published by audit and reporting rights. After resources should be well pre- the World Law Group. Frank, on- engagement, vendors should be pared to address the various, going discussions with privacy monitored and revisited, and and sometimes conflicting, com- and IT security personnel, C-Suite audited as appropriate, just as pliance obligations that are usu- executives and even boards of each company should continually triggered by a data security directors will help improve the ally monitor and revisit its own incident, including the timing company’s information security security apparatus and protocols and content requirements for profile and increase its chances to insure that security is keep- notifications. against these persistent and ing up with evolving business growing cyberthreats.

3 |Every Company is a Potential “Target” of a Breach: What is a Company to do?

For more information, please contact the authors of this advisory Theodore P. Augustinos, Partner, +1 860 541 7710, [email protected], Mark E. Schreiber, Partner, +1 617 239 0585, mschreiber@edwardswildman. com or one of the attorneys listed below:

Mark E. Schreiber, Partner, +1 617 239 0585 Boston [email protected] Chair, Privacy and Data Protection Group Steering Committee Theodore P. Augustinos, Partner, +1 860 541 7710 Hartford [email protected] Steering Committee, Privacy and Data Protection Group Laurie A. Kamaiko, Partner, +1 212 912 2768 New York [email protected] Steering Committee, Privacy and Data Protection Group

Barry J. Bendes, Partner +1 212 912 2911 New York [email protected] Michael P. Bennett, Partner +1 312 201 2679 Chicago [email protected] Nicholas Bolter, Partner +44 (0) 20 7556 4380 London [email protected] Kenneth Choy, Partner +852 2116 6653 Hong Kong [email protected] Mark Deem, Partner +44 (0) 20 7556 4425 London [email protected] Ben Goodger, Partner +44 (0) 20 7556 4188 London [email protected] Edwin M. Larkin, Partner +1 212 912 2762 New York [email protected] Sarah Pearce, Partner +44 (0) 20 7556 4503 London [email protected] Ronie M. Schmelz, Partner +1 310 860 8708 Los Angeles [email protected] Stephen M. Prignano, Partner +1 401 276 6670 Providence [email protected] Thomas J. Smedinghoff, Partner +1 312 201 2021 Chicago [email protected] David S. Szabo, Partner +1 617 239 0414 Boston [email protected] David L. Anderson, Counsel +1 310 860 8710 Los Angeles [email protected] Patrick J. Concannon, Counsel +1 617 239 0419 Boston [email protected] Karen L Booth, Associate +1 860 541 7714 Hartford [email protected] Jonny McDonald, Associate +44 (0) 20 7556 4620 London [email protected] Ari Moskowitz, Associate +1 202 939 7934 Washington, D.C. [email protected] Matthew Murphy, Associate +1 401 276 6497 Providence [email protected] Patrick Peng, Associate +852 3150 1936 Hong Knon [email protected] Erin Pfaff, Associate +1 310 860 8717 Los Angeles [email protected] Nicholas Secara +1 212 912 2785 New York [email protected] Ajita Shah, Associate +44 (0) 20 7556 4385 London [email protected] Nora A Valenza-Frost, Associate +1 212 912 2763 New York [email protected]

BOSTON CHICAGO HARTFORD HONG KONG ISTANBUL LONDON LOS ANGELES MIAMI MORRISTOWN NEW YORK ORANGE COUNTY PROVIDENCE STAMFORD TOKYO WASHINGTON DC WEST PALM BEACH

This advisory is published by Edwards Wildman Palmer for the benefit of clients, friends and fellow professionals on matters of interest. The information contained herein is not to be construed as legal advice or opinion. We provide such advice or opinion only after being engaged to do so with respect to particular facts and circumstances. The firm is not authorized under the UK Financial Services and Markets Act 2000 to offer UK investment services to clients. In certain circumstances, as members of the Law Society of England and Wales, we are able to provide these investment services if they are an incidental part of the professional services we have been engaged to provide. Please note that your contact details, which may have been used to provide this bulletin to you, will be used for communications with you only. If you would prefer to discontinue receiving information from the firm, or wish that we not contact you for any purpose other than to receive future issues of this bulletin, please contact us at [email protected]. © 2014 Edwards Wildman Palmer LLP a Delaware limited liability partnership including professional corporations, Edwards Wildman Palmer UK LLP a limited liability partnership registered in England (registered number OC333092) and authorised and regulated by the Solicitors Regulation Authority and Edwards Wildman Palmer, a Hong Kong law firm of solicitors. Disclosure required under U.S. Circular 230: Edwards Wildman Palmer LLP informs you that any tax advice contained in this communication, including any attachments, was not intended or written to be used, and cannot be used, for the purpose of avoiding federal tax related penalties, or promoting, marketing or recommending to another party any transaction or matter addressed herein. ATTORNEY ADVERTISING: This publication may be considered “advertising material” under the rules of professional conduct governing attorneys in some states. The hiring of an attorney is an important decision that should not be based solely on advertisements. Prior results do not guarantee similar outcomes. edwardswildman.com