Maksim Kabakou - Fotolia
You get into the office early one morning – having stopped along the way at your favourite coffee bar – ready to settle in and catch up on some work. You notice several missed calls and some voicemail messages on your phone. Hearing one of the messages nearly makes you spill that coffee all over your desk: The company network and systems have been infiltrated and first indications are that the amount of data taken is massive.
We can all conjure up images of what may have happened when the CIO of Ashley Madison received the news. Almost everyone knows breaches are a matter of “when”, not “if” – so what can companies do to prevent, respond and contain data breaches?
Prevention requires several key things: network monitoring, ensuring timely patches and updates, a documented and robust security programme, training, an incident response plan and cyber insurance. If employees are aware of what they can to do to prevent a breach, there’s no better way to co-opt the entire organisation into helping prevent a breach.
When those defences are breached, the first thing required is an assessment of the situation so it can be reported to your CEO and to legal, whether it’s an in-house legal function or to your solicitors. With prior planning, every organisation can master the first steps of a data breach.
Breach response always starts with answering the basic questions around who, what, where, when, why and how. It is important to understand if the intrusion is continuing, as well as what may have been lost or compromised and what kind of data it is, such as personal information, trade secrets and payment cards.
Answering the “what” includes getting the best possible estimate of individual records compromised. Understanding the “who” includes assessing whether any of your suppliers were affected and through which avenue access was gained. The “who” could also be an employee who was either phished or consciously responsible for the loss.
Every serious breach should include instructing outside solicitors who are experienced with breaches and understand the technical, legal and regulatory implications, as well as the applicability and importance of attorney-client privilege to any investigation. It is important to establish an attorney-client relationship at the earliest opportunity.
Breach response also includes assembling the correct response team – one that includes subject-matter experts around the “who, what, why, when and how” and can work with your solicitors and the forensics team to help define containment strategies. The response team should appoint a team member responsible for external communications and public relations.
Breach response should not be viewed as the initial scurrying about to pin down the facts. The response can take some time, as not all of the facts will come to light immediately. A crucial part of the response will include documenting what happened, ensuring that evidence is preserved and making sure there are regular reports to senior leaders.
Working with your solicitors will be important to determine whether law enforcement should be involved and whether there are notification obligations to regulators, such as the Information Commissioner’s Office or the Financial Conduct Authority, and whether it would be appropriate to notify affected individuals.
If payment card data or financial data of the company has been compromised, payment card processors and/or banks may need to be notified and your organisation may decide to keep monitoring the company’s bank accounts for unusual activity.
Containment can only be started once there is an understanding of how the breach occurred and whether any intrusion is ongoing.
Remediation can only start taking place once a breach is contained and should be done in a way that is sensitive to ensuring evidence gathered about the breach, response and containment is preserved.
Only once the breach is contained will the costs become clearer. The time and expense put into responding can demonstrate that the company has taken the intrusion seriously and it is trying to do right by consumers and investors. It can also form the basis for recovering damages if litigation is warranted. The average consolidated cost of lost records in a data breach is $201 per record, so losing 10,000 records could cost the company nearly $2m, according to the 2015 Verizon Data Breach Investigations Report.
The investigation, regulatory impact and potential litigation may continue for years. However, proper management of data by CIOs and chief information security officers (CISOs) may prevent them from being personally accused for their actions – or inactions – prior to and during any data breach, or even being personally named as parties in lawsuits.
Cynthia O’Donoghue is a partner at Reed Smith LLP.