sign in sign up
<<
Home , Equifax

How your company , Yahoo, Arby’s, Target, Home a cybersecurity policy—and Depot, Deloitte, JPMorgan Chase, understand it. To guard against insur- responds to an incursion eBay, LinkedIn, Sony Pictures—it’s ance , many policies will not allow into your corporate or a list of impressive companies that a company to claim the time employees seems to grow by the day. What do spend responding to an incident. customer data can mean they have in common? They all had Ask your insurance provider if it has the difference between to publicly announce data breaches a reporting template or instructions that put customers and their personal for how to validate and provide proof a disaster and a difficult information at risk. of services rendered. Knowing this PR problem. At Jabian, we are helping CEOs, CIOs, in advance and incorporating it into and CISOs prepare and respond to data your action plan will help you and your breaches around the globe. How a com- vendors create the needed documenta- pany responds can potentially make or tion throughout the process. break the company and its leadership Having master service agreements

2016 Average Incident Source: BakerHostetler (case in point: the near immediate in place with third-party responders Response Timeline resignation of Equifax’s CEO). before or immediately after an incident A good response can increase brand occurs can ensure you have the right prestige. It can delay or remove the people—with the necessary skills— risk of lawsuits. It can even lead to an available when you need them. Your increase in the company’s stock price. insurance may even cover their help. 69 7 These recommendations can help you Be aware that insurance typi- DAYS FROM DAYS FROM right the ship if your company is the cally covers only the investigation, OCCURRENCE TO DISCOVERY TO target of a —and help you emergency containment activities, DISCOVERY CONTAINMENT keep your job. and notification of affected parties. Recovery is not typically included. It’s assumed that doing those activities Make Sure You Are Covered in the first place would have prevented Data Breaches Can Happen to Anyone the incident from occurring. Don’t forget about hard-copy DISCOVERY

OCCURRENCE In today’s environment, it is almost records. As reported in Baker- CONTAINMENT a question of “when,” not “if,” a data Hostetler’s Data Security Incident breach will occur. Make sure you have Response Report (BakerHostetler,

10 THE JABIAN JOURNAL Number of Data Breaches and Exposed Records (in millions) in the United States Sources: Resource Center; CyberScout

1093

1000

783 781 750 656 662 614 498 419 447 500 446

321 223 250 169 157 128 92 86 67 37 19 36 16 23 17

0

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

DATA BREACHES EXPOSED RECORDS (IN MILLIONS)

2016), incidents involving paper office to orchestrate coordination is should you communicate? And who records accounted for 13 percent of vital to surviving the data breach. In within your company is responsible for all incidents in 2015. More common addition to the company’s key execu- communicating? Are there any legal among health care incidents because of tives, the response teams will typically requirements for when you must com- HIPAA requirements, BakerHostetler include incident response, legal, municate? If you are a public company, recommends that you ensure paper external legal counsel, IT operations, how could communications and timing records, in addition to electronic third-party forensic investigators affect your public filings or your reports records, are included in your infor- and responders, corporate com- to analysts and investors? mation governance and incident munications, and the data/business Informing your employees may response preparation. intelligence team. Human resources sound like a good idea. A large percent- may also be involved if employees are age of data breaches, however, are at fault or are the victims. caused by employees. If the data Create a Plan breach is malicious, you don’t want Preparation Is the Key to Managing COMMUN1CAT1ONS to tip off the “bad guys” until you Data Breaches MANAGEMENT have time to gather evidence. Once Having a dedicated resource focused you’ve collected your evidence, Once you become aware of a data on ensuring communications are sent communicate a comprehensive breach, you have limited time and to the press, internal teams, and exter- response to employees about what resources to react. Jabian’s Data Breach nally affected parties is necessary. happened and, more important, how Framework breaks down the pieces to Unless you have drafted templates that the company will prevent this from include in your response strategy. The are preapproved with legal (internal happening again. framework provides the flexibility to and external), you will need someone Like all the steps in a data breach develop the plans you need in hand on working full time in concert with response, ensure you’re tracking Day 1 to address different data breach legal to draft and wordsmith your internal communications—who scenarios. You don’t want to create communications to ensure the optimal receives them, when, and what is your incident response plan while you message is delivered at the right time. communicated—to ensure com- are responding to the incident. Your communications strategy plete coverage. should include internal and external PROJECT MANAGEMENT stakeholders. There are many questions STAKEHOLDER MANAGEMENT A data breach requires many teams to you need to think through, addressing: With regard to project and com- come together swiftly and harmoni- What will you communicate? To whom munications management, you must ously. Having a project management will you communicate? How much ensure that your critical stakeholders

SPRING 2018 11 Data Breach Strategy

P R O JE C T M A N A GE ME N T are on the same page throughout the investigation, notification, contain- ment, and recovery phases of a data C OMMUNIC AT ION M A N A GE ME N T breach. Have someone on point to ensure communications flow from the project management office and inci- S TA K E HOL DE R M A N A GE ME N T dent response teams to the appropriate stakeholders—internal and external. You will more than likely have IN V EST IG AT ION NO T IF IC AT ION C ON TA INME N T R E C OV E R Y several vendors and internal groups A ND L E S S ON S working together across various work E R A DIC AT ION L E A R NE D streams. They will need executive approval, as well as coordination with the correct internal counterparts (IT, ME T R IC S A ND R EPOR T ING legal, communications, etc.) to assist throughout the process. Coordinating with these stakeholders and groups common pain point can be time-consuming. It requires management, as speed of alignment, approvals, and delivery are important for the team to be effective. not managed by a single corporate or communicating all the information 1NVESTIGAT1ON IT unit. This fragmentation can lead to to the public in a single notification, The technical nature of the inves- additional complications, as individual which can quickly fade from the public tigation will vary depending on the users and managers will have varying eye, is a huge win. The alternative systems, networks, and data types systems, programs, protection, and may be fragmented investigations involved. From a general process potential . Depending (managed by individual parties) and perspective, however, you must on your intercompany agreements, multiple notifications that can drag determine which systems are in or out you may need to get permission on for months, if not years. Equally of scope for the investigation; track from the subsidiary or franchisee important is being able to centrally what you have investigated and what is before conducting your investigation. craft and manage the messages to still in process; and understand when Ensuring up front that you have a customers and the public, ensuring the investigation is complete. If you well-thought-out cybersecurity they meet legal requirements and don’t have the skills in-house, engage clause in your intercompany agree- protect the company’s brand as much a private forensic investigation firm to ments can provide a uniform and more as possible. investigate on your behalf. timely investigation. If the networks identi- Keep in mind that individual CONTA1NMENT fied your company or some of your system owners with proprietary As you identify issues throughout locations as being common points of knowledge and management of their the investigation, you should work to purchase for credit cards linked to computers, such as subsidiaries or immediately contain them without fraud, they may require you to use a franchisees, may be protective of their disrupting the investigation or forensic investigator certified by the devices and be hesitant to engage damaging any evidence. The goal of credit card industry. The card networks outside help to investigate. They will containment is to stop the incident will want to ensure it truly was a be looking after themselves before the or the malware from spreading. At malicious outside attack, rather than overall company, so you may have to this step, the goal is not to remove or an inside job, which could put your offer incentives to get them to opt in to eradicate it. company on the hook for reparations. the investigation. Depending on the type of issue Another difficulty may involve Incentives might include paying for you identify, it may be possible to decentralized systems or systems the cost of the investigation or the cost lock down your network or use an that cross corporate boundaries (e.g., of mailing notifications to customers. intrusion-prevention system to block subsidiaries or franchises), which are From the company’s perspective, the specific malware from phoning

12 THE JABIAN JOURNAL ALL TEAM MEMBERS,0101110101 ESPEC1ALLY LEADERS,11011001 MUST BE COMFORTABLE01001011 TALK1NG ABOUT ERRORS1110101 THEY MAY HAVE MADE010100100

home even before you begin removing process to eradicate the issues from be a list of identified probable causes the issue. Or, you may be able to do a the affected systems (e.g., upgrade and of any identifiable errors, so you know rolling remediation: As soon as the patch software, reinstall base operat- what could be done differently to investigation of one system or location ing system, set up and migrate to new improve the result next time. is complete, you remediate it before hardware, etc.) as well as minimize moving on to the next. Regardless of any identified vulnerabilities or risks METR1CS AND REPORT1NG the timing, tracking is very important and harden the affected systems. As you may now realize, the response to ensure everyone knows the status of to a data breach includes a lot of mov- each system and location. RECOVERY ing parts. Having standard templates Once the damage is eradicated, you can that allow quick and clear summation NOT1F1CAT1ON restore lost functionality and data and and communication, especially during When you’re sure you fully understand remove the temporary containment the hectic first days of the response, and have contained the problem, measures you may have left in place. can be critical. Having a team of you can begin to identify and notify Steps include testing the restored and reporting specialists who are familiar affected parties. As previously stated, hardened systems, deploying them with those templates, and who quickly you ideally want to send one notifica- into production, monitoring systems grasp what is important to track and tion to all affected parties to have the for signs of incident reoccurrence, what noise to filter out, is equally breach drop from the public eye as validating that the systems are imperative to enable executives to quickly as possible. fully recovered, and removing any make the requisite decisions. Legal review and approval of the unneeded containment measures. A final thought to incorporate notification is critical, as there are into your response plan: As data and unique requirements for states and LESSONS LEARNED reports are passed around among countries, which may also depend Don’t leave out this last step! Take this different teams, ensure that you’re on the point of purchase. In addition, opportunity to learn from your experi- sending documentation securely. consult key stakeholders to determine ence by improving and standardizing It would not look good if your data how to craft the message to best your data breach response process to breach response team caused a represent your brand, addressing be better prepared in the future. Hold second breach! questions such as: Should you use a “lessons learned” meeting within company letterhead? Who should sign one week of the close of the incident Yosef Beck the message? How should you address to ensure everyone’s activities and [email protected] the customer? thoughts are fresh in their minds. Make sure everyone checks their Tara Sconzo ERAD1CAT1ON feelings at the door. All team members, [email protected] Once you’ve completed the contain- especially leaders, must be comfort- ment phase, begin to eradicate the able talking about errors they may issue. The goal is to fully reverse have made. The focus of the meeting the damage or remove the malware should be on team performance. from the affected systems; it is not to Be open with congratulations and Works Cited: BakerHostetler. (2016). Data Security Incident Response Report. BakerHostetler. fully recover those systems back into constructive with criticism while Retrieved from https://bakerlaw.com/files/uploads/ production. This step should follow examining every phase of the opera- Documents/Privacy/2016-Data-Security-Incident- your standard IT change management tion. The result of your meeting should Response-Report.pdf

SPRING 2018 13