BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Businesses need a plan when a data breach happens

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 10 Dec 2013 00:36:32 -0700
http://westfaironline.com/59545/businesses-need-a-plan-when-a-data-breach-happens/

A data breach is like an auto accident. When you have a serious automobile
accident, you have to report the accident to the police. The police could
make a determination as to who is at fault and citations and fines could be
issued. Of course, you want to report the accident to your insurance
carrier to protect yourself from litigation and you want to repair your
vehicle. At some point, a determination is made as to who was at fault and
who has the greatest liability; attorneys on both sides are always involved.

You will be asked for your current insurance card, your up-to-date license
and registration. Your inspection sticker will be examined. You will have
to show that all your records are up to date and in compliance with your
state laws and regulations.

What happens when you have a cybersecurity data breach? Once you have
recognized your enterprise has experienced a breach, under the notification
laws in 47 states you have to notify state authorities; in most cases at
least two agencies and in some cases three. If your enterprise conducts
business in multiple states, perhaps even more. You will need to contact an
attorney who specializes in the privacy area to guide you through the maze
of requirements and defend your enterprise. You will have a specific time
limit to accomplish the state regulatory notification requirements, as well
as to notify all employees, clients or other affected parties. This is
usually 60 days. Once you have notified the state or states you will
probably notify your insurance carrier because of the potential ligation,
losses and damages your enterprise could be subjected to.

The breach has happened and you have reported it so be prepared for a
potential visit or audit by the regulators to ascertain responsibility and
to determine if there have been any violations of state laws.

What compliance documents do you have in place? Privacy policies? Breach
notification policies? Do you have a written information security program
(WISP) in place and operating? Where do you keep your proof of employee
training, or a comprehensive defensible breach plan, etc.?

In the case of your automobile, there is a long history of defensible ways
to manage and limit enterprise or personal exposure: Insurance
(liability/collision), proper maintenance, state inspection up to date,
registration and license up to date, driving classes and more.

What are you doing in the cybersecurity arena to develop a defensible
breach approach to manage and limit your potential exposure?

Reports are showing that the number of breaches effecting small enterprises
are rising dramatically while the number of breaches affecting very large
enterprises are dropping. Large enterprises have the manpower, expertise,
money and resources to develop cyber policies and defensible breach
procedures. Small enterprises do not. So the criminal hackers are going
where entry is easiest and most profitable for them.

What you have done in regard to your enterprise systems and what you are
doing concerning the incident could be looked at very carefully. The
actions your enterprise takes because of a breach could be closely
examined. Your enterprise needs to be prepared for this eventuality. Like
disaster recovery plans that are becoming more popular for companies as a
result of climate emergencies, defensible breach response and WISP plans
are necessary for the reality of regulatory and/or litigation scrutiny.

Criminal hackers, when breaking into enterprise systems, will often leave
proof they were in your computer system and show they have had or can have
complete access to personal information as well as sensitive
data/intellectual properties. In today’s environment, your company could
expect a federal or state regulatory agency visit and there could be a
class-action suit or some type of litigation as a result, as has happened
repeatedly in recent months.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: