Create a Data Breach Response Plan Before the Inevitable

Preparing to defend and mitigate damage from a security breach is not fun. It is a frustrating and unpleasant use of human and financial capital. However, the failure to plan for an eventual data breach is irresponsible and, in some lawsuits, argued as negligent.

Varonis compiled 100 cybersecurity facts from Verizon, IBM, Forbes, World Economic Forum, and others, 15 of which are listed below and highlight the growing significance of data security in the new decade:

1. The United States saw 1,244 data breaches in 2018 and had 446.5 million exposed records (Statista).

2. Data breaches exposed 4.1 billion records in the first six months of 2019 (Forbes).

3. As of 2019, cyber-attacks are considered among the top five risks to global stability (World Economic Forum).

4. In 2019, c-level executives were twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past (Verizon).

5. Healthcare and public sector spent the most time in the data breach lifecycle, 329 days and 324 days, respectively (IBM).

6. The average time to identify a breach in 2019 was 206 days (IBM).

7. The average time to contain a breach was 73 days (IBM).

8. The global number of web attacks blocked per day increased by 56.1% between 2017 and 2018 (Statista).

9. In 2019, while finance and payment companies saw the largest drop in share performance post-breach, prices fall 7.27% on average after a breach (Comparitech).

10. Healthcare is the most expensive industry for a data breach at $6.45 million (IBM).

11. The global average cost of a data breach is $3.9 million (IBM).

12. The average cost per lost or stolen record in a data breach is $150 (IBM).

13. 67% of costs occur in the first year of a data breach (IBM).

14. In 2019, the country with the highest average total cost of a data breach was the United States at $8.19 million (IBM).

15. The formation of an incident response team reduces the cost of a data breach by an average of $360,000 (IBM).

Combined with the right software and professionals, a cybersecurity incident response plan (CSIRP) can shorten the average time to identify and contain a breach (206 and 73 days respectively), which lessens the financial impact to the business. Further, by including a cybersecurity attorney to the CSIRP, both incident preparation and response enjoy attorney-client privilege.

As stated by both the American Bar Association (ABA) and SANS, an attorney’s work with a CSIRP helps establish attorney-client privilege to incident response inquiries, data breaches, and cyberattacks. While day-to-day network monitoring or other routine IT tasks will not enjoy attorney-client privilege, the failure to create and follow an incident response plan can have serious legal repercussions. To prevent such issues, the ABA recommends that every CSIRP include the following:

• Applicable laws or regulations;

• Data breach triggers;

• Person(s) or organization(s) to contact; and/or

• Information to include in reporting requirements.

Due to the numerous failed attempts to pass comprehensive cybersecurity legislation, SANS notes the “patchwork of rules issued by Congress, federal agencies, industry groups, and states has developed over time” as potential legal pitfalls mandating the attention of legal counsel. With “the 1996 Health Insurance Portability and Accountability Act (HIPAA), 1999 Gramm-Leach Bliley Act, and the Federal Information Security Management Act (FISMA) as part of the 2002 Homeland Security Act” and states, industry bodies, and other non-governmental organizations issuing their own regulations, SANS recommends the following:

The CSIRP must consider these laws and regulations when written. The laws and regulations will often define sensitive or protected data and the reporting requirements in the case of a data breach. The CSIRP needs to include this information so that the CSIRP knows when notification is required. Failure to follow the prescribed process can often result in fines or other penalties.

In building a CSIRP, the security and technology team should work alongside legal counsel to develop these phases:

Preparation:

• Make as many personnel decisions regarding notifications and task assignments as possible to avoid mistakes under pressure.

• Choose teams in each department to identify, contain, and recover from the breach.

• Allocate IT resources to departments in order of priority and do not forget to include internal communications to employees outside of IT (leaks are bad before customers can be notified).

• Get legal counsel involved should be included with personnel notified.

Identification:

• Determine the issue (ransomware, malware, suspicious code, insider threat).

• Determine if there is a threat to material with special legal protections (financial records, records of minors, healthcare records) - work with legal counsel.

• Determine if the business may continue to operate while the threat is on-going.

• If previously turned off, restore all internal auditing settings to track movement.

Containment:

• Isolate and secure all non-affected data to another location within the network or off the network.

• Change all passwords and encryption keys.

• Ensure physical security of the area.

Eradication:

• Ensure back-up data is secured.

• Clear all malicious code from network .

• Work with legal counsel to preserve chain of custody of evidence of breach.

Recovery:

• Identify the breach and conduct remedial training as required.

• Restore backed-up data to network.

• Determine reporting obligations to local authorities.

Lessons Learned:

• Study and improve.

Get assistance with your CSIRP. Reach out to Sarah@alexandersides.com.