Preparing for a Data Breach

The increasing frequency of cyber attacks against companies of all sizes and the consequent disclosure of user information gathered by the attacker has led to an explosion of data breach regulations around the world. It’s important for your business to understand what data breach notification is and the expectations set out by data breach laws and regulations.

It’s long been regarded by information security professionals that it’s not a questions of “if” you suffer a data breach it is just a matter of “when.” The inevitability of a data breach makes it a risk you need to understand. Don’t be complacent when there isn’t much of a threat of a data breach: As soon as your service or site becomes the “in thing” and growth booms, that is when you become the likely target. And it is precisely at that time when you don’t have the bandwidth to figure out how to react. Plan ahead and be ready to execute your plan when the time comes.

A data breach is a significant event, and reacting poorly could result in disastrous public relations, but there are serious legal obligations as well. It goes without saying that you should always work towards minimizing the risk of a data breach. Those things include limiting what personal information you collect, being careful about how it gets disseminated throughout your systems, minimizing the length of time your store the information and doing what you can to limit access as well as encrypt the storage. In addition you also need to be diligent about protecting and monitoring your systems, and have a planned response to an incident.

In this post I’m going to provide a brief overview of some of the most prominent privacy breach notification legislation so you understand your obligations. Then I’ll cover how you should respond in the event of a breach so that you can get a plan in place.

US and EU Regulations

Many countries around the world have breach notification laws on the books and a company’s requirements set out in these laws vary widely depending on where your servers and where your customers are located. I’m not going to cover them all nor try to provide a deep explanation. If I were to try to thoroughly cover all of the laws and regulations around the world I’d have enough information for a very long book, so, given that, I’m only going to touch on laws in the US and European Union since that likely provides enough information to give you a solid foundation to work from.

Note: Issues of what local regulation you need to follow depends on a number of variables and really is better left to a lawyer to answer, and I am not a lawyer. Therefore you should not take what I say as legal advice. You are responsible for the accuracy of your own policies and procedures.

The European Union’s 1995 Data Directive laid out regulations for breach notification among the participating countries in Europe. Earlier this year the EU announced draft plans to update these regulations. The proposed regulations still have to go through two EU governing bodies, which have the opportunity to make changes, but when they go into effect some time in the coming years they are likely to be close to the current proposal.

The current version of the proposed regulations require that organizations notify the authorities about data breaches as early as possible. Specifically the regulations say, “if feasible within 24 hours” which sets a pretty aggressive obligation. The regulations also require that the company notify the affected customers as well.

In the United States, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These laws have appeared relatively quickly.

The first such law, the California data security breach notification law, was enacted in 2002. The law requires “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information … to disclose in specified ways, any breach of the security of the data … to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” In other words, companies doing business in California must immediately disclose a data breach to customers, usually in writing.

By 2005 twenty different states and the City of New York had followed California’s lead and passed laws seeking to require companies collecting or storing personally identifiable information to notify the subjects of the information if that information is compromised. By 2008 there were laws and regulations in thirty states. As mentioned earlier, ten short years after the California law was enacted, separate US laws now span across forty-six states. There have been a handful of attempts to get a national law through Congress but none have passed. I believe a national law is inevitable and we will all breath a sigh of relief not having to worry about responding to so many separate laws.

Due Diligence Prior to a Breach

Before responding to a data breach you first need to recognize that one has occurred. The significance of this task shouldn’t be overlooked. When lawyers say things like “reasonable” and “adequate” with regards to a data breach they’re referring to things like making sure at a minimum you are logging activity and reviewing those logs for anything suspicious. You don’t have to comply with every NIST publication but a “reasonable” effort needs to be made to detect a breach. There are many software and hardware solutions to help this area. If you are unsure how to approach this task you can find many managed service providers and consultants that can step in to help.

Also, implicit in those tricky legal terms is an obligation to protect the data. Ensuring you are preventing the most common attacks is a must. Covering what those threats are is a topic for another post but the Verizon 2012 Data Breach Investigations had this to say:

Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.

Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.

Given this, it’s not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures.

…While at least some evidence of breaches often exists, victims don’t usually discover their own incidents. Third parties usually clue them in, and, unfortunately, that typically happens weeks or months down the road.

Responding to a Breach

You find yourself in the unfortunate situation of realizing you’ve lost customer data to an attacker. What do you do now? The FTC provides the following guidance which is a good general framework for anyone regardless of your location.

Notify Law Enforcement
Once you suspect a data breach has occurred and that you have a good idea who may be affected it is time to kick in the plan to respond to the incident. The first step is to get law enforcement involved. This can be your local law enforcement agency, or if they are unequipped to handle a breach, you can call on state or national law enforcement. In the US this would be the local FBI or Secret Service office.

Notify an Affected Third-Parties
Consider the type of data that was stolen and how it relates to services and partnerships with which you exchange data. If any account information or information you’ve collected on behalf of another business was stolen notify the company who manages those accounts so they can react appropriately. If banking or credit card account information was compromised notify the issuers so they can monitor for fraud and get help from the credit bureaus as well.

Notify Individuals
All of these steps are important to follow but none is more important than notifying the affected individuals. This is nearly a universal requirement in laws and regulations around the world. The suggested method is to send a written notice when possible. Before taking this step though it is important to get a lawyer involved in crafting this notice. The laws here are specific and vary widely depending on a number of factors so this is not something you should tackle without legal guidance. However the US Federal Trade Commission offers a sample letter you can use and customize to suit your needs.

Consequences of an Improper Response

If you are found negligent you may face a fine from regulators. However, if you’ve done your best to understand the law and follow the obligations it requires, you are less likely to face the maximum penalty from regulators. They will look more favorably on those who try, even if the execution might be a bit flawed. And those fines can be steep.

The new EU regulations propose three tiers of fines, the first of which runs up to 0.5 per cent of annual revenue, the second up to 1 per cent of annual revenue. The top tier allows for a fine of up to 2 per cent of annual revenue. These are steep fines.

In the US some states include a “private right of action” or the right for individuals to seek monetary re-compensation. The limits here range widely but when the court has discretion and the law only provides guidance the monetary damages can be devastating.

The legal obligations and potential fines of a data breach lead to staggering costs. The Ponemon Institute estimates the average cost to be $214 per record breached. At that cost per record even when only a thousand records are compromised the cash outlay required to respond is sobering ($214,000). That is just the average though. What the report doesn’t take into account is the possible range of costs. A company that is prepared and responds properly may find their cost per record is much lower, so being prepared and responding properly can mean life or death for a company.

Creating the Plan

There are some excellent templates online that you can follow as a framework for creating an incident management plan. AllClearID has a good comprehensive package, the American Institute of CPAs offers another one or you can go to a company like Experian and have them work with you to get a plan together.

With a basic understanding of the laws and regulations which obligate a company to action in the event of a data breach you can ensure minimal distraction and avoid costly errors. A solid plan isn’t that hard to piece together and can be updated at least annually with minimal effort. If you value your company, its financial health, and reputation you should be prepared for the inevitable data breach.


Now read this

Worth Watching

I just finished watching a 2006 Tech Talk by Rik Farrow on computer security models. It’s worth watching. He spends roughly 45 minutes discussing how our current computer security models are broken and finishes with a proposed solution.... Continue →