Over the last few years, data breaches have become a regular occurrence for most consumers. By now, the average person has either been directly impacted by a data breach or knows someone who has. As a result of this increase in data breach awareness, companies that experience a breach are under much greater scrutiny today than ever before. Companies are no longer judged by whether they have a breach, but rather on how they respond when a breach occurs.
While according to the Ponemon Institute 81 percent of companies have data breach preparedness plans in place and understand the basic procedures for responding to an incident, the actual execution of a plan during a breach can present even the most seasoned companies with challenges. It is no longer enough to just have a plan in place, companies today need to ensure they are continually examining the current data breach landscape in order to identify new threats, ensure they have captured best practices and are watching for common mistakes to avoid.
Based on experience servicing some of the largest data breaches to date, Michael Bruemmer, vice president, Experian Data Breach Resolution, has identified five common failures he sees companies making when preparing for, and responding to, a data breach, and outlined guidance for companies on how they can tackle these issues.
Common Data Breach Mistakes to Avoid
Click through for five common failures companies make when preparing for, and responding to, a data breach, as well as guidance for companies on how they can tackle these issues, as identified by Michael Bruemmer, vice president, Experian Data Breach Resolution.
Local Regulators and Law Enforcement
Failure #1: Not identifying and getting to know local regulators and law enforcement prior to an incident.
Establishing relationships with the appropriate regulators, including attorneys general, local law enforcement and FBI, who have authority and influence over a security incident before an event occurs is crucial for a successful response. However, many companies wait until an event actually occurs to contact these stakeholders.
To get ahead of this, companies should set up a meeting with their local FBI contact and their state’s attorney general to start building relationships and learn from them about the latest threats they are seeing companies face.
Failure #2: Not anticipating emerging threats that complicate breaches.
Companies are often unprepared or underprepared to respond to emerging threats such as ransomware. While ransomware is not new, both the technology itself and the regulations on reporting it are continuously evolving. New versions of ransomware can have implications beyond just losing access to systems or documents, and can now leave behind malware that could cause a breach down the road. On the regulatory side, organizations that fall under HIPAA are now required to report all ransomware attacks. This guidance, released by the Department of Health and Human Services Office of Civil Right in July 2016, is a result of the fact that it can be unclear whether or not data was accessed during the time of the ransomware attack.
As a best practice, all companies should revisit their response plan to ensure that it includes, at the very least, a response to even basic ransomware attacks, as well as a plan for reporting the attack to regulators, as reporting can help mitigate the impact of related breaches in the future.
Failure #3: Not properly collecting and maintaining forensic evidence during an incident.
Properly collecting and maintaining the right information and evidence needed to determine the size and scope of a security issue is a major challenge for many organizations. Unfortunately, many companies fail to preserve copies of the systems that were targeted during an attack. Whether this evidence is lost due to an effort to quickly stop the bleeding or because it is overwritten with new information, it can make it much more difficult to understand the severity of an issue. It can also lead to scrutiny by regulators when reviewing the effectiveness of a company’s response.
Companies must incorporate procedures for securing forensic evidence in their response plans. Taking this step will help ensure IT professionals are equipped to preserve the valuable chain of evidence.
Failure #4: Not thinking about response through the lens of potential litigation.
Even with 81 percent of companies having a response plan, 72 percent of security officers do not think their organization’s plan would be effective in reducing the likelihood of lawsuits (Ponemon Institute). As the legal backdrop around data security continues to evolve, these concerns are not unfounded. Recent legal cases provide plaintiffs with more standing, therefore opening up companies to a greater risk for litigation and settlements. For example, in the P.F. Chang Class Action Suit the court ruled that the plaintiffs had standing since P.F. Chang’s statements following the breach suggested customers take protective remediation measures, such as monitoring their credit, inferring that customers were at risk of identity theft or fraud.
Closely monitoring actions taken by attorneys general and new case law can help companies as they continue to build their incident response plan.
Failure #5: Not working with the proper external experts who can help navigate the issue.
Having the right team in place can greatly increase a company’s chance of successfully navigating a data breach. This team should include a legal partner specialized in data breach response, IT forensics, cyber insurance, public relations experts and a data breach resolution partner. Setting up a strong group of experts in advance can help a company quickly respond to a potential incident. Even better, connecting these professionals ahead of an incident and ensuring all contracts are in place, will cut down on potential administrative hurdles during an incident.