The IAPP Privacy. Security. Risk. conference in Austin, Texas, is normally not the place to hear nuclear warfare terminology tossed around, but one breakout session began with a discussion on the ominous phrase, "right of boom."
The boom is the detonation of an atomic bomb. The "left of boom" is all the work that was done to prevent an incident from occurring. The "right of boom" is what is done following the explosion to minimize fallout.
Given that this session took place in the middle of a privacy conference, Binary Sun Cyber Risk Advisors CEO Christopher Pierson, CIPP/G, CIPP/US, and Thompson Coburn Partner James Shreve, CIPP/US, CIPT, FIP, did not use "right of boom" to discuss a hypothetical World War III, but rather to analyze how organizations respond to data breaches.
In the "Right of Boom: Top Things You Do Not Want To Do in a Data Breach Response" session, Pierson and Shreve looked back at some of the most notable data breaches over the last couple of years and where affected companies stumbled in their reactions to the incidents.
Nondisclosure is an obvious misstep for companies to avoid, as was the case when Uber did not report its breach affecting 57 million people. By not reporting the breach, Shreve said Uber hurt its relationship with regulators, particularly the U.S. Federal Trade Commission. The decision to pay the hacker behind the cyberattack was also received with skepticism, as was the choice to put the payment under the umbrella of its bug bounty program.
Both Uber's chief security officer and an in-house attorney who knew about the payment were fired. Shreve notes entities need to be prepared to lose high-level employees once the breach is made public.
"Looking back at Uber, you realize that some of the people involved may fall in the crosshairs," Shreve said. "You have a couple of people, the CSO and the in-house attorney, who are not necessarily at the top of the organization, that took the hit."
Acquiescing to hackers' demands was a bad move, according to the presenters on hand. Pierson broke down Sony's decisions following the fallout of its data breach. Sony decided to comply with the demands of the North Korean group behind the cyberattack by pulling the release of "The Interview," the movie at the center of the cyberattack. The decision was criticized, including by then-President Barack Obama.
Shreve believes the Sony breach differed from the other incidents covered during the breakout session, such as the incidents involving Facebook, Dixons Carphone and Equifax. While the other attacks targeted sensitive information, the efforts waged against Sony could be considered all-out cyberwarfare, the intent being to cause pain rather than for financial benefit.
Even with the distinction, Pierson wanted the attendees to keep their antennae up.
"When you know your company is being targeted by a nation-state, you might want to change your threat posture," Pierson said. "When Russia and North Korea [are] targeting us, and we know it, and intelligence is telling us that they are, we should turn up the knobs on our control devices."
Three words continuously weaved their way throughout the presentation: communication, trust and goodwill. Target managed to lose out on all three attributes following its 2013 data breach by failing to control the narrative. Target had to go on the defensive, Pierson explained, because security researcher Brian Krebs broke the story before Target could minimize the damage.
Former Target CEO Gregg Steinhafel released a video apology after the breach was made public, a move Pierson didn't criticize, although he added companies should not wait until an attack occurs to have their data breach-response message in place.
Pierson also noted Target didn't do itself any favors when it didn't properly staff its phone centers to field questions, and its site didn't have the proper bandwidth needed to withstand a massive traffic surge. Turns out that when people's information is compromised, they will have questions in droves. He did praise the company for officially announcing the breach Dec. 23, as it could have been tempting to disclose the attack after the holiday season.
For some of the companies featured in the presentation, the fallout hurts the brand to this day. Equifax's stock prices are still down, despite a strong market overall, and Dixons Carphone will likely suffer regulatory actions for its status as a repeat offender following another recent breach. Of course, Facebook is still reeling from its privacy snafus.
There are many different ways to avoid data breach fallout, and panelists urged attendees to learn from the major players to avoid a similar fate.
"You can disagree with us on some of these lessons," Pierson said. "But if you do agree with these lessons, take them back with you and make sure you don’t repeat those mistakes."
If you want to comment on this post, you need to login.