As recent headlines would indicate, data breaches are serious business with significant repercussions for organizations. That’s why the topic was the focus of an entire day of “how-to-prepare” panels at the IAPP’s Practical Privacy Series in Washington, yesterday.
Panelists were very clear on a few key points, especially: Every company must have an incident-response plan. It’s no longer the case that a data-loss incident may occur, but when. Given that, companies must have a communicated, written, and practiced plan in place before any incident ever occurs. That plan should comprise established internal and external crises teams; signed contracts with crises-management and forensics vendors so they're on retainer, and mock breaches to practice preparedness.
Also important? Don't call it a breach until you know it's a breach. Until you know that, it's a data incident. That phrase goes viral much more slowly, if at all.
Verizon’s Karen Zackaria, CIPP/US, Verizon’s deputy general counsel and chief privacy officer, said while brands are often anticipating “the big one,” it’s smart to have a plan that encompasses all scenarios — big or small, and to prioritize what you're protecting.
“What are the crown jewels?” Zackaria said incident-response teams should ask. “What information is most important? If there’s an incident, what would be the repercussions if that information got into the hands of a hacker or if an employee walked off with that information? What are the internal and external risk factors? Externally, what kind of third-party vendors have access to it?”
Incident-response plans will look different from company to company, of course, given size, culture, management structure, etc. For some companies, it's going to look like a “a really nice binder” of prescriptive process; for others, it’s going to look like the whiteboard a football coach holds on the sidelines, wiped clean and re-written based on the situation, said Jason Maloni of Levick, a crises communications firm.
Rehearse the breach
Besides creating a cross-functional incident response plan, panelists repeatedly urged organizations to conduct table-top exercises, i.e., role-playing, which would bring in all involved teams to ensure everyone is speaking the same language and understands both what may be required should a forensics team and/or law enforcement agency step in as well as what external messaging should be.
“Who are we going to call? What is our PR response? Involve the tech team, the compliance team, the PR team,” said Steve Elovitz of Mandiant, a security consulting service. “These groups do not talk enough to each other, and if they aren’t well-oiled, you’re going to find all sorts of places where there’s issues with the incidence response plan or differences in expectations.”
Zackaria said a solid IRP includes clear lines of communication, formalized roles and responsibilities, and clarified protocols around escalation and notice.
Sign vendor contracts before an incident can occur
Elovitz recommends hiring a consulting group before an incident even occurs, because a lot has to happen within the first 72 hours of an incident, and it’s important not to waste time shopping for vendors or signing contracts during those critical hours.
Once you’ve got your response team hired, Elovitz recommends reviewing with them your data logs so any visibility gaps can be resolved ahead of time. That’s because most of the time, the logs forensics, or even law enforcement, may need to audit after an incident aren’t readily available or easily traced. Elotvitz said that happens all the time.
David Harrison of LMG Security said the average amount of time an intruder stays in your system is 200 days. He challenged PPS attendees to try and determine who accessed their regulated data on May 16, approximately 200 days ago.
“I guarantee very few of you could do it,” Harrison said.
That’s why, Elovitz suggests, “Let’s meet and prepare up front.” He even suggested companies put a tabletop exercise within their security consultant’s retainer agreement.
Don’t communicate too early
While being prepared for an incident and having a response plan is important, there’s something to be said for restraint, as well. Seth Harrington, partner at Ropes & Gray, and Brian Lapidus, managing director at Kroll’s Identity Theft and Breach Notification practice, warned about raising the red flag too quickly.
“I can’t tell you the number of times where we have been involved and something actually didn’t happen,” Lapidus said. Panelists throughout the day frequently referred to potential intrusions or losses as "data incidents" versus "data breaches" with that in mind. That's because, as CEO of Inform Michael Robinson said, "In 2016, companies do not get the benefit of the doubt. It’s the world we live in."
Lapidus and Robinson warned against taking impulsive action before your forensics team has had a chance to sweep in and said it’s a better idea to start talking to the public once your forensics team is 90 percent done with its audit of what’s been lost or compromised, before you start talking.
“Investigate, analyze, and contain,” he said. “Make conclusions based on evidence, don’t assume.”
Seth Harrington of Ropes & Gray said in investigating and analyzing, get the people you need involved in the room and off email. That can be important in litigation later.
Finally, regarding the number of false-positives, Lapidus recommends the following steps upon detection of a potential incident within the first 72 hours: The first step should be to contact legal counsel, then alert the internal response team, begin documentation and then put the incidence response plan into action.
“Being thoughtful and knowing what you’re doing to do ahead of time is the difference between success and failure,” Maloni said.