Response Plan Rewind: The Essentials of Data Breach Response Plans

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/response-plan-rewind-the-essentials-of-23053/

> From the financial sector to the healthcare industry, and even the security
business itself, hackers are creeping their way into business data systems
and pilfering personal information. For financial institutions, security
measures to prevent attacks are not foreign. Nor is the need for a response
plan in case preventative measures fail. Financial institutions have been
required to maintain data breach response plans since 2005, when the Office
of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance
Corporation (“FDIC”), the Board of Governors of the Federal Reserve System
(“FRB”) and the Office of Thrift Supervision (“OTS”) jointly promulgated
the Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice (“Interagency Guidance”).

On the ten-year anniversary of the Interagency Guidance, we invite
financial institutions to take a critical look at their response programs
and refresh their knowledge about the key components of a defendable
response (although financial institutions should regularly update their
plans to account for changes in business assets, key personnel and
applicable law). After all, the best way to minimize damages is to plan
ahead, and during an attack is no time to be thinking about how to improve
the plan.

Response plans are not one-size fits all. They should be risk-based and
tailored to the size and complexity of the institution and the nature of
its activities. The Interagency Guidance identifies the following
procedures as the minimum requirements:

1. Assessing the nature and scope of an incident, and identifying what
customer information systems and types of customer information have been
accessed or misusedNotifying the institution’s primary federal regulator as
soon as possible when the institution becomes aware of an incident
involving unauthorized access to or use of sensitive customer information
2. Notifying appropriate law enforcement authorities, in addition to filing
a timely Suspicious Activity Report (“SAR”) consistent with SAR
regulations, in situations involving federal criminal violations requiring
immediate attention such as a reportable violation that is ongoing
3. Taking appropriate steps to contain and control the incident to prevent
further unauthorized access to or use of customer information by, for
example, monitoring, freezing or closing affected accounts, while
preserving records and other evidence
4. Notifying customers when warranted

The process for determining whether notification is required and who must
be notified is an important part of a financial institution’s response
plan. Three of the five minimum requirements identified in the Guidance
involve notification.  These obligations vary depending on the
circumstances of the incident. The following list identifies many, but not
all, of the notifications that may be required or recommended depending on
the circumstances:

- Law enforcement officials (local police, FBI, U.S. Secret Service) should
be notified if the entity suspects the incident is a result of criminal
activity or if the compromise could result in harm to a person or business.
- The institution’s primary federal regulator should be notified as soon as
possible when the institution becomes aware of an incident involving
unauthorized access to or use of sensitive customer information.
- An institution that has been attacked should also notify other businesses
in its network, which may be potential victims. Some businesses may also
have a right to notification under the terms of a contract between the
institution and the business.
- The OCC, FDIC, FRB and OTS recommend that institutions notify the credit
reporting agencies if a large number of customers’ personal information has
been compromised, particularly if the institution will send notices to the
customers that include contact information for the reporting agencies.
- The institution should review its insurance policy with legal counsel and
determine if the incident is covered by the policy. The carrier should be
notified in accordance with the applicable policy provisions.
- If the information compromise involved the improper posting of personal
information on the internet, the institution should contact the search
engines to ensure they do not archive personal information that was posted
in error.
- Notice to the affected customer may or may not be required. Pursuant to
the Interagency Guidance, an institution should notify the affected
customer as soon as possible if the institution determines that misuse of
its information about a customer has occurred or is reasonably possible.
Customer notice may be delayed if an appropriate law enforcement agency
determines that notification will interfere with a criminal investigation
and provides the institution with a written request for the delay. The
institution should notify the customer as soon as notification will no
longer interfere with the investigation.

Timely and effective notification is important to manage the institution’s
reputational risk and reduce the institution’s legal risk. Legal counsel
can guide an institution through the process of determining who to notify
and when and how to notify them based on the nature of the breach.
Additionally, preparing draft forms of notice in advance of an incident can
be time saving and result in a message that is better crafted to address
all essential matters and present them in a light that best manages the
reputational and legal risk of the institution. Institutions should consult
legal counsel in the drafting of customer notices as the Interagency
Guidance identifies content that should be included in such notices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!