How To Prepare for, Respond to and Manage Breaches
By Angelique Carson, CIPP/US
Breaches, lapses, incidents. They are going to happen, and they are going to happen to you. How you prepare will make a huge difference both mid-crisis and post-crisis. That was the premise of a session at the IAPP’s most recent Practical Privacy Series in New York City.
Experts Emily Stapf, director of cybercrime and forensic investigations at Pricewaterhouse Coopers; Mark Seifert of Brunswick Group, and Tim O’Brien of the FBI’s cybercrime division focused on the reality that organizations must shift from the mindset that breach preparedness is important because a breach might occur and understand that breach preparedness is important because a breach will occur—and it’s only a matter of time.
Before a breach, during peacetime, Stapf suggests walking through the company playbook to ensure the appropriate policies are in place, particularly surrounding data.
“Much like an IT team would go through exercises, think of data breach prep in the same light,” she said. “The opportunity before you have an active breach is for you to really lock down on what kinds of sensitive data you have in your organization and where it is—document data flows.”
The experts discussed the people, processes and technology organizations should employ to ensure the best possible outcome before, during and after a breach occurs.
Before the breach
- Know who you’ll call for help.
- Establish an incident response team.
- Provide regular training for employees; keeping an outside team—including forensic experts, privacy counsel and communications firms—close by.
- Know what data you are protecting and where it is stored.
- Go through hypothetical breach scenarios with a response team.
- Know which employees have access to which applications and learn what the reporting obligations may be in case of a breach.
- Enable network logging, and be sure it’s sufficiently large.
- Back up servers and be sure backups are under control.
- Enforce records management, and destroy old data.
- Implement full-disk encryption on laptops.
- Implement increased security measures, such as password standards.
- Implement DLP to monitor the perimeter.
- Effectively manage security integration from acquisitions.
Seifert said communication is an essential part of the data breach response, and a plan should absolutely be established before a breach occurs.
“I would want to know ‘Who am I calling first?’” Seifert said. “I would want to know my social media avenues, who my friends are, who my enemies are. And if I’m front-and-center and leading in the privacy world, I want to know who my advocates are. Who can step in and say, ‘They are doing a great job; they’ve got the right attitude. They care about who their customers are.’”
Mistakes are inevitable, he added, but how a company handles an incident is what will differentiate it from its competitors.
During the breach
- It’s important to keep the people who are “in the know” small.
- Engage forensic experts, a communications team and privacy counsel from the beginning.
- Effectively manage incident response project management.
- Anticipate threats internally and externally.
- Consider the impact of third parties.
- Act immediately to remediate vulnerabilities.
- Don’t reach out to the public too soon.
- Cast a wide data-mining net.
- Document actions taken to share with regulators later.
- Update investigative team.
- Do not communicate preliminary numbers.
- Consider each finding’s business impact.
- Take live memory dumps before shutting down servers.
- Insist on full forensic images of servers and laptops.
- Pull network logs immediately, and increase log capacity.
- Pull oldest available backups.
- Rest passwords quickly.
- Be careful with evidence handling.
Stapf said it’s essential to have full-disk encryption and servers that are backed up and intentionally tested
“You’ve got to be testing these things as you go,” she said. “The biggest thing from a technology perspective is making sure you’ve got logging enabled. Network logs are digital fingerprints that tell you who traversed the networks at which point in time. It’s extremely valuable when the breach happens, but before the breach, you’ve got to turn it on.”
The FBI’s O’Brien knows firsthand how messy post-breach investigations can be.
“Our job is to figure out who did it,” O’Brien told the crowd. “In almost every situation we’ve dealt with, and we deal with a lot of really big companies, there’s confusion on the company’s end as to who on the network team has access to what—that is, who can actually go and pull things off of that computer so we can get some evidence that there’s a piece of malware.”
O’Brien said the FBI’s cybersecurity team tends to be focusing less on scams these days and more on intrusions, such as spear phishing, for example, which has become an increasingly popular way to steal data.
“It’s important to be aware of that, because it works, and it’s the simplest way to do it,” he said.
After the breach
- Use the breach exposure to promote the enhancement of the security program to the board.
- Revisit data governance structure, including security, legal and risk management.
- Deliver the employee base with a transparent and consistent message.
- Use the opportunity to roll out privacy training.
- Don’t assume it’s over until it’s over.
- Use the opportunity to expand privacy and security programs.
- Document lessons learned.
- Do not overcommunicate or revise numbers.
- Anticipate long-term regulatory scrutiny.
- Use the opportunity to build privacy and security into new initiatives.
- Build a playbook.
- Develop a remediation plan with technology enhancements.
- Test remediation actions.
- Consider global improvements.
- Preserve investigative evidence.
- Change encryption, external media, USB and e-mail policies.
- Reconsider cloud and third-party technology providers’ preparedness.
Stapf said ahead of any investigation following a breach, it’s imperative not to allow an underqualified individual to take control of forensics, and it’s essential those involved don’t try and target what they believe to be evidence.
“You don’t know yet if you’re floating on the tip of an iceberg or dealing with an ice cube,” she said. “Make your net of data capture broader than you think it needs to be. Inevitably, you’ll go back to extreme data sources and say, ‘We’ve proven it didn’t go beyond where we thought it did,’ or you’ll know an investigation needs to expand."
Staph went on to say that it’s imperative servers are not unplugged right away, though that may be the first reaction.
“One of the things (O’Brien) is going to want to see when he comes in to help is what kind of active malware was running at the time you noticed the breach, and those pieces only exist for a fleeting moment on a system.”
Seifert said, throughout breach management, a company’s messaging is essential. A communications strategy must be developed, and any part that can be prebuilt should be.
“Even if you get the law right but you get the communications strategy wrong, you’re going to get pillared in the public, and you will lose,” he said. “Your brand may be tarnished, and that may cost you a lot more at the end of the day than just paying for credit-monitoring.”
Seifert suggested organizations resist playing “the blame game” and instead focus on what the customer wants and needs to know, such as, “Are you going to take care of me? Has the bleeding stopped?”
It’s damaging to convey to an affected consumer that the breach is minimal and unimportant.
“If it’s my information, it’s really big, and I take it really seriously,” Seifert said. He added it’s important to know who the relevant regulators are and how they interact, and guarantee that any internal documents do not circulate.
Any commitments an organization makes to the consumer early on in the breach investigation process must be followed through, he said.
“You have to live by those commitments. If you don’t do right by them the first time, they won’t believe you the second time. And there will be a second time.”
Read more by Angelique Carson:
Researchers Publish Study of Indian Privacy Perceptions
Data protection was not a game at London’s 2012 Olympics
Getting to know a privacy pro
Chief privacy officers discuss employee privacy training