Are You Prepared?
A common question for almost any company is whether it is ready for a data breach. Perhaps the preferred question should be, “Are you compromise ready?” While the term “data breach” may be more familiar, it is not always accurate. Not every lost laptop, hacking attempt or stolen file results in the unauthorized access to sensitive information. “Breach” has legal significance and is a loaded term that can lead to unnecessary panic and unfortunate business consequences; it should be used sparingly by companies responding to an incident. In increasing numbers, companies are recognizing that there is no such thing as perfect security, and utilizing advanced technology or having certain certifications does not mean they are immune.
In 2014, BakerHostetler attorneys helped companies respond to more than 200 data security incidents. We took a hard look at data from those incidents to identify trends and insights, and we published our findings in our inaugural “Data Security Incident Response Report.”
Employee Error Is a Leading Cause and Other Findings
Notwithstanding the media headlines, not all incidents arise from sophisticated external attacks launched by APT groups or organized cybercrime groups. Employee error was the leading cause of incidents we helped manage in 2014. It should be no surprise then that one of the most frequent requests from regulators following a breach is for documentation around the company’s security education and awareness training.
A majority of the time, incidents were self-detected by our clients as opposed to third parties. This may appear to contradict findings of leading forensic firms that continue to report that as many as two-thirds of incidents are reported first by outsiders, but many of those firms are working with retailers who learn about a breach from a card brand’s common point-of-purchase analysis, a consumer who reports fraud, or law enforcement. Nevertheless, it remains critical for companies to develop their detection capabilities, including training employees about what to escalate to the incident response team, so they can block attacks in the early stages of the “kill chain” before the attacker finds sensitive data. When third parties identify the issue first, often the story becomes public before the company has sufficient time to block the attack, determine who was affected, and develop and implement its communication strategy.
Our analysis also showed that while data security incidents are most closely associated with electronic data, more than one-fifth of the matters we helped manage involved paper records. Oftentimes, paper incidents occur because employees forget their work papers on airplanes or in rental cars, or they send paperwork to the wrong individual.
Finally, data security incidents do not discriminate – they affect all industries, including healthcare, retail and hospitality, professional services, financial services, and higher education, and governmental entities. While the largest number of incidents we worked on involved the healthcare industry, the incidents with the most severe consequences and affecting the greatest number of customers involved the professional services industry.
The Best Defense
Our findings demonstrate that no matter the industry or how advanced a company’s technological protections may be, being “compromise ready” remains the best defense. Companies can begin by developing an incident response plan. You must assume that one day, despite your best efforts, your company will experience an incident. A sound plan will identify who is on the team and how the response activities will be coordinated. It provides a flexible framework for approaching the critical stages of incident response – planning, identification, validation and assessment, communication, containment, eradication, recovery and post-incident activities. The plan should also identify the third parties that the company will work with to respond to an incident, including legal counsel, computer forensic firms, crisis communications firms, mailing and call center vendors, and credit-monitoring and identity theft resolution providers. In short, the plan serves as a playbook for the incident response process.
Proactive security and risk assessments are becoming more commonplace, and not just for regulatory reasons. Many companies, including their boards, want to know if the company is compromised right now. The use of threat intelligence services is also becoming more common so that the company can keep up with the new ways that these types of events occur. Other ways to incrementally improve a company’s security posture include conducting employee training and awareness activities (e.g., phishing awareness campaigns) and increased focus on vendor due diligence and the contracting process. These efforts must be ongoing because the threat landscape is rapidly evolving and the company’s risks change.
The Proper Response Is Key to Survival
Ultimately, a company cannot reverse the fact that an incident occurred, but it can work hard to handle the response responsibly. Customers, patients and regulators understand that data security incidents are not always avoidable; however, no one tolerates a company that does not respond to an event in a thoughtful and organized way with a focus on protecting the people who are affected by the incident.
The reputational impact cannot get lost in the legal analysis. Still, a company must recognize that although it will not win back its customers in its first communication, it can most definitely lose them. Customers and regulators want clear communications about what happened, what needs to be done to protect the people affected, and the steps the company is taking to avoid the same issue in the future.
Hiring experienced privacy counsel to help guide the company’s incident response team is key. Many reputable and otherwise very fine firms have created “privacy” teams consisting of IP and regulatory lawyers and litigators who do not have significant experience in this specific area. Experienced attorneys have the confidence, the experience and the relationships with the regulators to help your company weigh the risks when making decisions.
Evolving Attitudes and Common Mistakes
Attitudes toward incident response have changed dramatically over the past two years. Not long ago, a company might respond to an incident by looking for a way to avoid a public disclosure over concern for the reputational impact. Now, it has swung in the other direction – too often we see companies rushing to make a disclosure before they have had a chance to investigate, in the name of “full transparency.” Rushing to disclose can be a big mistake. Such an approach underestimates the importance of communications and forensics. Where possible, a company should let the forensics drive its decision-making process. The information gained from the investigation will fuel the external communication strategy. Prompt notification is important, but delivering a clear and accurate message is critical. A company has just one chance to communicate its message.
While transparency is important, remember that acting hastily may cause unnecessary public alarm or further immunize people to these events. Over-notifying does no one any good. Additionally, prematurely speaking about an incident while an investigation is underway will likely result in the company later losing credibility because retractions will need to be made regarding prior erroneous communications.
The C-suite needs to participate in the incident response process. Company leadership may not need to be involved in day-to-day activities, but in large events, where external communications are going to be critical, they need to understand what the investigation has uncovered and the strategy for responding. One way to get the C-suite involved early on is to have its members involved in tabletop exercise drills so they know what to expect.
The Federal Question
State attorneys general currently play a major role in investigations following the reporting of a breach. Of the matters we helped manage in 2014, state attorneys general were notified in 59 instances, and official inquiries were launched 31 percent of the time. Multistate inquiries were initiated less than 5 percent of the time. The federal Department of Health and Human Services Office for Civil Rights (HHS OCR) steps in 100 percent of the time in healthcare incidents involving more than 500 individuals, and just a very small percentage of the time in matters involving fewer than 500 people (we defended clients in 28 HHS OCR investigations in 2014). The Federal Trade Commission commences investigations less frequently, but its investigations are generally much more targeted and costly to defend against.
The latest regulatory buzz, however, concerns the possibility of a federal breach notification statute. Before we can opine on whether a federal framework will be helpful, we need to know the following: (1) Will it have a risk-of-harm analysis? (2) What types of information or statements will be required in a breach notification letter? (3) Is there going to be a prescribed time limit on sending the notification? (4) Which regulators will a company have to report to? In the meantime, and no matter which law may ultimately apply, being “compromise ready” is the best course.
Read the full BakerHostetler Data Security Incident Response Report at https://www.bakerlaw.com/files/uploads/Documents/Data%20Breach%20documents/BakerHostetler-Data-Security-Incident-Response-Report-2015.pdf.
Published June 3, 2015.