Do You Have a Data Breach Response Plan? U.S. Department of Justice Thinks You Should

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/do-you-have-a-data-breach-response-plan-19417/

In the wake of significant retailer data breaches in 2013 and 2014, and
additional significant breaches continuing in 2015, a trend is clearly
developing — an expectation of proactive risk identification and mitigation
from a legal, technical and business process perspective as the “gold
standard” in terms of what organizations should be doing to protect
sensitive customer, consumer or individual data, particularly with regard
to the ever-expanding category of “personally identifiable information.”
Massachusetts, Nevada and New Hampshire have passed laws specifically
requiring private sector cybersecurity assessment and adherence to security
standards by companies holding sensitive consumer data. It’s a matter of
time before other states follow. Further, Congress is in broad agreement
about the need for legislation on cybersecurity, and there has been a wide
range of congressional proposals for statutory requirements for protection
of various other kinds of sensitive data over the past few years.

Most recently, on April 30, 2015, the U.S. Department of Justice issued
cybersecurity guidance that counsels every organization with personally
sensitive data to develop a well-considered, proactive Incident Response
Plan before an attack hits, retain experienced legal counsel and remain
vigilant even after an incident appears to be under control. Regardless of
what kind of risk assessment your organization may or may not have done to
date, one thing is clear from the lessons of the past 10 years since “data
breaches” first became a newsworthy topic – data breaches can happen to
anyone. Headlines have trumpeted the causalities.

In the wake of one of the largest and most infamous data breaches, the
impacted company’s General Counsel, in testimony before Congress, offered
one over-arching piece of advice: Have a data response team and a response
plan in place.

So, here’s a simple explanation of the basic elements of a good Data Breach
Incident Response Plan.

First, build an Incident Response Team. Identify the constituencies within
your organization that need to be involved with any potential response to a
breach crisis. This will usually include representatives from legal, IT,
HR, public relations and executive management. The best practice is to
appoint Team members from each of these groups, as well as backup Team
members in case the appointed member for some reason can’t serve when a
crisis occurs (i.e. family or medical leave, etc.). It’s also important
that the people be appointed by authorized decision makers. The last thing
you want in a crisis is a culture of decision-making-by-committee to take
over. The people named to your Incident Response Team should be prepared
for a crisis and ready to take decisive action. For that reason, it’s very
important to pre-identify, as members of your Team, individuals from a
qualified and experienced outside law firm, a computer forensics firm, and
your insurance carrier. Before a breach crisis occurs, your Incident
Response Team should caucus periodically, discuss and refine your Incident
Response Plan, and “war game” possible responses to a breach. Table-top
exercises are a great idea.

In that regard, your Incident Response Team, and especially outside counsel
and your forensics firm, should become intimately familiar with relevant
policies, organizational structure, operations and infrastructure
considerations before a breach occurs. Many times, in a breach situation,
hours and minutes matter, and there is no time to waste. If brand new
people are forced to get up to speed in the heat of a crisis, when key
employees are scrambling and even fearful, critical information-sharing can
be impeded, and important aspects of your response can be unnecessarily
delayed.

In the same spirit, your organization, including your Incident Response
Team, should periodically review your organization’s exposures regarding
collection practices, use, storage, scope of disclosure and risk of harm
regarding personally identifiable information (broadly defined) or
Protected Health Information. That includes reviewing contracts with
outside vendors who may have responsibility for storing or managing your
information in the cloud. What level of detail your organizational review
includes will vary from one organization to the next, but proactively
deciding to conduct such a periodic review, even with a small team, will
raise important questions about your organization’s vulnerabilities and
preparedness. It would also be a first step toward the kind of
organizational assessment required by state laws discussed above and put
you on the road toward building a comprehensive Information Security
Program, even if your organization is not immediately committed to a
full-fledged assessment and comprehensive program at this time.

The next consideration regarding an Incident Response Plan is a plan for
controlling internal communications in the event of a breach crisis.
Emails, especially, have a tendency to start flying once a crisis breaks.
If litigation ensues, internal communications among a broad group of people
– especially people who are uninformed or have no need to be discussing the
issues – can come back to bite your organization. Your Incident Response
Team should be prepared, in advance of a breach crisis, to communicate
quickly and clearly to your organization that a specially prepared Team is
“on it” and that internal communications regarding the events in question
should be curtailed to the greatest degree possible. To that end, employee
interviews conducted as part of your internal and forensic investigation as
to the causes and extent of the breach should be conducted with counsel
included, so that the protection of attorney-client privilege is preserved.

It’s also important to pre-plan regarding any outside third parties who
must be contacted in the event of a breach. This is generally driven by the
industry you’re in, the regulatory posture of your business, and relevant
breach notification laws. For instance, if you’re a financial institution
or a HIPPA-covered entity, the notification schemes governing those
industries require regulators to be notified of a breach in certain
circumstances. Likewise, certain state notification statutes require
notification of the state Attorney General or other consumer protection
officials if certain thresholds are met. Knowing who you must notify
outside of your organization, and how to notify them, before a breach
occurs is critical.

Finally, it’s important, before a breach occurs, to have one spokesperson
identified who will speak for your organization. Preferably, this person
should be a member of your Incident Response Team so that they are
adequately informed from the start. Multiple voices speaking to multiple
constituencies – your internal organization, regulators, media outlets or
law enforcement – generally just create a lot of noise, rather than a
concise, informed, consistent message that is necessary to bring efficiency
to your response, and calm to all the various constituencies concerned.

Building an Incident Response Plan is just one aspect of information
security. Ideally, it should be part of a broad Information Security
Program that includes assessment of all of your organization’s information
vulnerabilities and risks. But it’s perhaps the easiest step to accomplish,
and when (not if) your organization experiences a data breach, you’ll be
glad you set out to prepare yourself ahead of time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!