For corporations, having a clear plan to respond to a possible data breach is often a core and critical issue.
There are a wide range of laws that apply when a company is responding to a data breach.
In the United States, there are laws in every state as well as industry-specific federal laws.
In Europe, the General Data Protection Regulation (GDPR) addresses how a company responds to a breach, and other countries have laws as well.
Breach notification laws in the United States are numerous, and lawsuits often arise post-notification.
In the United States, there are laws that require companies to provide notification to affected individuals and/or government authorities in the event of a data breach.
Companies that suffer a data breach may face both litigation exposure, reputational liability, and potential regulatory scrutiny. Reputational liability is difficult to anticipate.
Should a company face such scrutiny, factors that will be considered include:
A purported obligation to prevent unauthorized access to or use of the data
If the company satisfied an applicable industry standard of care
Whether there were damages or injury, and if the organization’s conduct (or lack thereof) was the proximate cause of the damages
The same Ponemon Institute study revealed that malicious actors or criminal attacks are the most common cause of data breaches.2 The root causes of breaches cited in the study include malicious or criminal attack (48 percent), human error (27 percent) and systems glitch (25 percent).
Employee error or negligence is reported to be one of the biggest causes of privacy breaches.
Even malicious and criminal attacks often take the form of phishing attacks, which rely on unsuspecting employees.
Ongoing training and awareness raising around information security policies and practices is therefore essential in reducing the risk of a privacy breach.
When faced with a potential security incident, there is often a temptation to call the situation a data breach. However, that term is a legal one, defined in different ways under various laws around the globe. Until a lawyer has made a determination that a fact pattern meets the legal definition, corporations should refer to a security incident as just that, an incident or a potential incident.
An incident is a situation in which the confidentiality, integrity or availability of personal information may potentially be compromised.
For a data breach to exist, typically there must be some sort of unauthorized access or acquisition of the information, although the definition of breach varies.
If a breach exists, impacted individuals and, in many cases, regulatory authorities must be notified.
In sum, all breaches are incidents, but not all incidents are breaches. Only the privacy office or legal office can declare a breach, based on certain triggers
Companies generally recognize they may be subject to a data incident.
The common phrase is “not if, but when.” With this in mind, what measures can a company take to prepare for an incident? Preparedness does not prevent an incident.
Preparedness focuses on measures a company can take to respond optimally—in other words, to answer the question, “What will the company do when prevention fails?”
Organizations typically face the following questions when they’re making the case for training or planning its execution.
Why train? The answer to this is straightforward. Training exposes gaps in applications, procedures and pre-incident plans.
Who should receive training? The entire organization will likely need some form of training. Many may only need to learn how to report a potential incident. Others may require more in-depth training
What form should training take? Training will take various forms, and content should be customized to the audience. It might be a short video or a structured readiness-testing simulation.
A key step in incident preparation is the formal creation of an incident response plan. To create the plan, the drafting team will need to gather a vast amount of information and then use the information they have gathered to develop processes and procedures.
This team should be led by the privacy office and the legal department and include help from IT, communications, HR and senior management.
Effective incident response requires systematic, well-conceived planning before a breach occurs. The success of an incident-response plan ultimately depends on how efficiently stakeholders and constituent teams execute assigned tasks as a crisis unfolds
Insurance may be a viable source of funding to offset breach-response and recovery costs. While traditional policies may provide a certain level of protection, they do not normally cover expenses resulting from a data compromise. To reduce exposure, risk managers must work closely with insurance carriers and finance stakeholders to select the right type and level of coverage prior to an incident.
Cyber risk Insurance will cover:
Forensic investigations
Outside counsel fees
Crisis management services
PR experts
Breach notification
Call center costs
Credit monitoring
Fraud resolution services
Often, vendors are the ones that suffer a data breach. But because of the way data breach notification laws are drafted, the obligation to notify may fall on your company, not the vendor. For this reason, it’s important to have a good understanding of what information your vendors have, how they use it, and what they will do if they suffer.
9.5 Roles in Incident Response Planning, by Function
This section covers the core elements of incident response planning, incident detection, incident handling, and consumer notification. The focus is on the U.S. approach to responding to data breaches, since the United States has some of the world’s strictest and financially consequential breach notification requirements. The section begins by identifying the roles and responsibilities previously identified stakeholders may play during a breach.
To help operations run smoothly in a time of crisis, many companies depend on a BCP. The plan is typically drafted and maintained by key stakeholders and spells out departmental responsibilities and actions teams must take before, during and after an event. Situations covered in a BCP often include fires, natural disasters (e.g., tornadoes, hurricanes, floods), and terrorist attacks.
Once breach preparedness is integrated into the BCP, or if the company decides to have a standalone incident response plan, incident response training will likely be required. This training may take many forms, including workshops, seminars and online videos, but often includes tabletop exercises, a strategic mainstay of corporate trainers and business continuity planners.
Soon after concluding the exercise, results should be summarized, recorded and distributed to all participants. Perhaps most importantly, fresh or actionable insights gained from the exercise should be added to the BCP.
Breach preparedness training, especially in a large organization, represents a significant investment. Creating an environment that ingrains data security into the corporate culture and prepares teams to respond effectively requires an organization-wide commitment backed by the resources to see it through.
The strategic upside of investing in breach preparedness includes:
Exposure of critical gaps in applications, procedures and plans in a pre-incident phase
Greater overall security for customers, partners and employees
Reduced financial liability and regulatory exposure
Lower breach-related costs, including legal counsel and consumer notification
Preservation of brand reputation and integrity in the marketplace
The process of responding to a breach involves tasks that are not necessarily linear. Companies facing a potential incident will deal with incident detection, ensure that stakeholders collaborate and know their roles, investigate, ask their legal teams to conduct a legal analysis, address reporting obligations, and recover from the situation.
While these steps are all part of a well-run response, many of them must happen in parallel. It can be helpful to think about breach response tasks in broad categories: secure operations, notify appropriate parties, and fix vulnerabilities.
Unfortunately, there’s not one definitive way to detect a breach. Customer calls or news reports may alert an organization to trouble before internal sources even recognize a problem. Consider, for your organization, how you will determine whether to classify an event as an incident or a breach
From their first day at an organization, new employees should be taught and encouraged to assume a privacy-first mindset. When they observe that leaders and fellow associates are genuinely committed to data security and privacy protection, new hires are more likely to respect and comply with established reporting and data-handling policies.
To emphasize employees’ personal responsibilities when encountering a breach, policies and procedures should be a regular component of security training and refreshers. The following worksheet provides a foundation for developing your own incident-reporting or privacy-training worksheets.
These are merely suggestions and not intended to be a comprehensive list. Keep in mind as well how these materials are distributed. Does the incident involve a bad actor who has possibly accessed your email system? If so, then reporting should not be occurring through that potentially compromised system!
Sample Worksheet—Prepared at the Direction of Counsel
Facts as they are known:
Name and contact information of person discovering the incident
Date and time the incident was discovered or brought to your attention
Incident date, time and location
Type of data suspected to be involved
Internal organization or employee data
Client or customer data
Third-party partner or vendor data
Employee’s description of what occurred:
Brief description of how the incident or breach was discovered.
Does the incident involve paper records, electronic information or both?
What type of records or media do you believe were involved?
Paper: letter, office correspondence, corporate document, fax or
copies thereof?
Electronic: data file or record, email, device such as laptop,
desktop, or pad-style computer, hard drives in other electronic
equipment (e.g., copy machines)
Media: external hard drive, flash/thumb drive, USB key
Do you know if the device or information was password-protected?
Do you know if the device or information was encrypted?
Do you believe personally identifiable information (PII) such as Social
Security numbers, account information, user names or passwords were
exposed?
Can you estimate how many records were involved?
To the best of your knowledge, has the incident been contained? (That is,
has the data leak or loss stopped or is there still potential for additional data
to be lost?)
Within any organization, data is viewed and handled by any number of individuals and groups and is often stored in several disparate locations—even across multiple states or continents. The potential for compromising sensitive data exists throughout every business of every size in every industry.
In many organizations, the level of technical integration between IT and facilities is so deep and so extensive that regular contact through established lines of communication is essential to maintaining security.
Hiring, transfers, promotions or other changes in employment status may require revisions to an individual’s data access privileges. When such changes are needed, HR, IT and facilities should follow established policies for monitoring and managing data access.
Sensitive data is seldom handled or processed in a single location. In today’s global economy, huge volumes of personal information for which companies are directly responsible reside in systems and facilities managed by outside vendors, partners and contractors.
These groups should always be accounted for in incident detection and planning.
To those on the front lines, prevention and detection bear many similarities to defending an occupied fortress. They must protect sensitive information against treachery and attacks that could come at any time. Regardless of how they originate, if the fortress is to remain secure, threats must be detected and eliminated before it’s too late.
An incident response process will need to balance these objectives. A successfully handled plan will be directed by legal (to address the legal exposures and privilege concerns), who will work hand in hand with an IT leader who is focused on containment and remediation. Other key stakeholders will also need direct involvement.
Keep individual response-team members on track to meet their performance objectives and timelines.
Track budget adherence for all response activities
Contact outside incident response resources to confirm engagement and monitor performance.
Prepare a final analysis of the response effort and lead the post event evaluation process
How to manage expectations
Establish and maintain the frequency of communications.
Determine what is appropriate for the situation and communicate when/if the frequency needs to change
Hold a kickoff meeting to present the team with the known facts
Provide senior executives with an overview of the event
Engage remediation providers to reduce consumers risk of fraud
Keep team members on track to meet their objectives and timelines
Track budget adherence
Contact outside incident response resources to confirm engagement
Immediately following the decision to notify affected parties, tactical portions of the incident response plan begin to unfold.
Companies dealing with an incident may find themselves balancing two possibly conflicting issues:
Containment
legal exposures
Companies want to contain and remediate the problem. At the same time, should the situation be viewed as a data breach, impacted individuals and, potentially, government agencies must be notified. These notices often result in lawsuits or regulatory scrutiny.
Organizations often have many individuals with extensive knowledge about data breach matters. In addition to legal counsel, who are concerned with privilege, the CPO or CCO wants to ensure that a breach is handled correctly from a compliance standpoint, and the chief information security officer (CISO) will be focused on the nuts and bolts of investigation and containment. The CISO’s role may include recommending outside forensic experts to help ascertain the incident’s cause, size and scope.
Below is a list of tips to help manage expectations and communicate with executives:
Manage executive leaders’ expectations by establishing the frequency of updates/communications
Determine what is appropriate for the situation and communicate when/if the frequency needs to change
Hold a kickoff meeting to present the team with the known facts and circumstances
Provide senior executives with an overview of the event and of the team’s expected course of action
Engage remediation providers to reduce consumers’ risk of fraud or identity theft
Convene with individual stakeholders to discuss lawsuits, media inquiries, regulatory concerns and other pressing developments
Keep individual response-team members on track to meet their performance objectives and timelines
Track budget adherence for all response activities
Contact outside incident response resources to confirm engagement and monitor performance
Prepare a final analysis of the response effort and lead the post-event Evaluation
In addition to ensuring the protection of privilege during the investigation, legal will be focused on determining whether there is a duty to notify under breach notification laws, and if so, what form that notice should take. The entities to notify vary by breach.
Drafting and reviewing contracts is another vital area in which legal stakeholders should be involved. If data belongs to a client, it can interpret contractual notification requirements and reporting and remediation obligations. Should the organization become the target of post-breach litigation, the legal stakeholder may also guide or prepare the defense.
While some data incident matters do involve paper records, given the cyber nature of most incidents, it is almost certain that the information security group will be engaged to address data compromises.
The CISO or the chief technology officer (CTO) or their designated person on the incident team will focus the group’s expertise on facilitating and supporting forensic investigations, including evidence preservation.
To support other groups with their breach response efforts, the technology team may also:
Provide a secure transmission method for data files intended for the print vendor or incident call center
Identify the location of potentially compromised data (e.g., test development and production environments)
Determine the number of records potentially affected and the types of personal information they contain
Clean up mailing lists to help facilitate the printing process
Sort through data to identify populations requiring special handling (e.g., minors, expatriates, deceased)
Monitor systems for additional attacks
Fix the gaps in the IT systems, if applicable
There are typically two levels to a response team.
First are the leaders who will make the key decisions about how an incident is handled.
Second are the individuals who will be providing input and support to the core team. Those in the second group will vary depending on the type of incident. A balance should be struck between ensuring that the appropriate stakeholders are included but that communications are controlled to avoid legal exposure. Legal counsel can be very helpful in this regard.
Breach investigation is a subset of breach response and occurs once breach investigators have concluded that sensitive information has been compromised. Professional forensic investigators can capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.
During an investigation,
On the containment side, the focus is on isolating compromised systems, containing the damage, and documenting any actions taken.
On the legal side, the focus is on determining whether the event constitutes a “breach” as defined by the relevant laws, preserving electronic evidence, and establishing a chain of custody.
During the investigation phase of an incident, containment will be top of mind for the IT/information security team. The need to prevent further loss by taking appropriate steps is critical. These include securing physical areas and blocking bad actors’ access to impacted data. The approach to these issues, however, needs to be balanced with the legal steps discussed in the next section.
When investigating an incident, a company will want to make sure that its investigation and related communications and work product are protected by attorney-client privilege. Attorney-client privilege protects any communication between a lawyer and their client made for the purpose of giving or obtaining legal advice.
After a cyber incident, a company should notify all its insurance providers, because there may be coverage under more than just a standalone cyber policy. After notification, the company should receive a coverage letter from the insurer outlining the scope of coverage.
Companies that have contracted with credit card companies to accept credit card payments must notify those credit companies in case of a breach. The contract should be consulted because it is likely to contain specific requirements not only about notification but also about post-breach procedures and cooperation with thecredit company
It may be necessary to engage outside forensics vendors in a complex breach. To ensure the investigation is privileged, those vendors should be engaged by the attorneys (preferably by outside counsel) rather than the company.
Think carefully about how it is most appropriate to involve key stakeholders. What is the culture of your company? What are the legal and practical risks in your situation of involving large groups in potentially sensitive matters?
Not all breaches require notification. There are various types of notification requirements to regulators and affected individuals. If data was encrypted, or if an unauthorized individual accidentally accessed but didn’t misuse the data, potential harm and risk can be minimal and companies may not need to notify (based on applicable laws). Notification may be required even without harm to an individual. Coordinating with legal counsel to understand notification obligations is critical.
Breach-reporting obligations for legal compliance vary by jurisdiction, but tend to adhere to certain principles, including harm prevention, collection limitation, accountability, and monitoring and enforcement. The legal team will determine, based on the facts, whether the situation constitutes a breach as defined by relevant laws such that notification is necessary.
Escalation refers to the internal process whereby employees alert supervisors about a security-related incident, who in turn report the details to a predefined list of experts—typically the privacy office—which will then engage IT, information security, facilities or HR. Notification is the process of informing affected individuals that their personal data has been breached.
During the management of a privacy incident, it is imperative that all internal communications are locked down so that inaccurate or incomplete details
regarding the incident are not sent around the organization. The incident response team should be responsible for all internal communications regarding the incident; these communications should only be forwarded to staff on a need-to know basis.
In the United States, some states mandate that notification letters contain specific verbiage or content, such as toll-free numbers and addresses for the three major credit bureaus, the FTC and a state’s attorney general. Multiple state laws may apply to one breach, and notification may be delayed if law enforcement believes it would interfere with an ongoing investigation.
The notification deadline weighs heavily, in addition to the public scrutiny and already stressful ordeal of a data breach. Mishandling notifications can lead to severe consequences, including fines and other unbudgeted expenses. For extra support, some companies enlist the services of a third-party breach resolution provider to assist with notification, call-handling and credit-monitoring offers.
Attempting to keep employees from learning of a data loss is neither prudent nor possible. On the contrary, transparency is typically paramount to maintaining integrity and credibility. When a breach occurs, in most situations all employees should receive properly worded communications about the event, along with specific guidelines and prohibitions about externally disseminating information.
The creation and release of external communications should be closely coordinated with the call center, in connection, of course, with legal counsel. In addition to notification letters and press releases, other external strategies and tactics may be deployed to announce and manage breach communications. Among the most important of these is to engage a professional crisis management or communications firm (if none are available internally) and designate a senior, media-trained executive as the organization’s spokesperson.
Legal counsel should provide guidance on which state, federal or international regulatory agencies require notification in the event of a data breach. In many instances in the United States, it is appropriate to contact the state attorney general and, in some cases, the FTC.
In the healthcare industry, the Department of Health and Human Services (DHHS) may need to be notified as well. Notification to these agencies would be determined on a case-by-case basis, depending on the size and scope of the data breach; work with your legal counsel with data breach experience to provide such notices.
Letters and emails are the most common forms of breach notification. As organizations decide to notify, the need to meet specific deadlines in accordance with applicable laws while working within the constraints of complex production and delivery processes can be unwieldy and difficult to reconcile.
Call centers normally in place have the infrastructure, policies and procedures needed to seamlessly switch from providing general customer service to answering breach-related calls. For a switch to be successful, proper preparation for every call center component is required. Adequately staffing the incident response team is one particularly critical consideration.
Besides trying to protect incident victims’ identities, companies tend to offer remediation services to soften the blow of a breach. If a remediation offer is made, the organization should facilitate the dialog between the parties involved, which typically include the credit-monitoring provider, letter print shop, and call center.
As a best practice, the notification letter should feature a full description of the remediation product, enrollment instructions, and a customer service phone number or email address. An activation code, by which the recipient may redeem the remediation product, should also be included.
There is some debate about the level and type of progress reporting that is needed for an incident. Keep in mind that every situation is different. That said, making sure the incident team is well-informed and moving toward a unified goal is critical.
For complex or large-scale data breaches where notification is required (as determined by legal), there will be a significant number of letters mailed, calls received, and credit-monitoring enrollments. Keeping track of this information and being prepared to report up (or down) is important, and having a strong reporting structure plays a pivotal role in distilling the chaotic flow of reports into a clearer, more manageable stream.
You will need to give different types of reports to different stakeholders based on their need to know. Regardless of audience, progress reporting during the breach recovery period should focus on the question, “What data do they need, and when do they need it?”
Incident response can be tested with a variety of scenarios. But even a well-written plan can falter when the theory behind it collides with realities on the ground. As teaching tools, real-life breaches are far superior to hypothetical scenarios, so lessons learned from all incidents must afterward be captured, recorded and incorporated into the plan.
Evaluate Response Plan - after chaos subsided
Ask Questions:
Which parts worked?
Which worked only after some modification?
Which did not work at all?
What did the team do exceptionally well?
What didn’t go well?
Were any unforeseen complications encountered?
How could they have been avoided?
How well was the team prepared for the unexpected?
How realistic were the plan’s response timelines?
What was the difference between actual and budgeted costs?
Was the team sufficiently staffed?
Were all relevant parties part of the team?
What could be learned and what be improved upon for the next potential breach?
While many breach-related costs can be identified and tallied using actual invoices, others are less apparent. Lost business opportunities and damage to brand equity are examples of costs that may affect the bottom line for years following a breach.
Breach Costs
Legal Costs
Punitive Costs Fines, lawsuits and other penalties stemming from negligence in preventing or improperly responding to the breach
Internal Costs Outside Counsel Legal review of the organization’s contractual and regulatory obligations after a breach; may include defense costs if litigation results
Crisis Management/PR Experts to help the organization craft and deliver cohesive, properly timed and customer-friendly communications about the incident
Forensic Investigators Specialists to confirm, contain and eliminate the cause of the breach and determine the size, scale and type of records affected
Call Center Support Staffing, training and support of the customer care team responsible for handling calls and emails related to the incident and its aftermath
Equipment Replacement and Security Enhancements Equipment changes, system upgrades and physical security improvements to mitigate the current breach and prevent future incidents
Insurance Retention (deductible) payments and fee increases associated with the breach
Card Replacement The cost of issuing new cards (in incidents when credit card numbers have been compromised)
Employee Training Educational activities intended to improve upon previous programs that facilitated the breach
Remediation Costs Victim Notification Creation and delivery of letters, emails, web pages and other methods/channels to notify affected individuals about the incident
Remediation Offers Provision of services such as credit monitoring, fraud resolution and identity theft insurance to breach victims
Victim Damages Costs related to correcting damages incurred by breach victims
Intangible Costs
Customer Retention Marketing campaigns designed to prevent customer attrition and win back lost business following an incident
Lost Revenue and Stock Value Reductions in stock price, lost customers and other revenue decreases directly related to the loss
Opportunity Costs Lost productivity and revenues, as employees suspend regularly assigned tasks to assist with breach response
While no organization would choose to experience a data breach, failures breed opportunity for organizational change and growth.
How can you ensure you walk away from a breach better prepared for the future?
Be sure to conduct a breach or incident response review, or a post-incident assessment.
At minimum, review these items:
Staffing and resourcing Containment, including timing and processes
The C-suite commitment, including signoff on new measures and allocation of resources
Clarity of roles of the response team and others
The notification process for individuals, regulatory bodies and others
9.13 Summary
A proper breach response plan provides guidance for meeting legal compliance, planning for incident response, and handling privacy incidents. An organization needs to be prepared to respond to its internal and external stakeholders— including regulators. The privacy professional and related team members need to be prepared to respond appropriately to each incoming request to reduce organizational risk and bolster compliance with regulations.