Why is Cyber Incident & Data Breach Response Management Important?
The impact of a breach is no longer isolated but reflects on the organization at large. Data shows that organizations that suffer breaches lose nearly 10% of their value. Regulators expect organizations to maintain logs of their incidents and demonstrate due diligence and the capability to address risks before a breach occurs. They also expect organizations to respond to incidents and breaches efficiently and quickly in multiple jurisdictions. This expectation means a different approach to incident and breach management and response is needed, and signals to the market that it is no longer acceptable to deal with such events as a “one-off.”
Today’s breach landscape is complex. Every security incident is multi-jurisdictional. Even within the EU, where the regulations are the same, the regulators are not, and breach responses include tight timelines for reporting to regulators. Security incidents are something that happens, but a data breach is a matter of law, and data breaches must be reported to regulators and to affected parties within strict timeframes. Coordinating all the activity involved in identifying the affected data, determining whether it meets the criteria for a breach, and creating the reporting in the appropriate jurisdictions is a complex breach response process that must be automated and synchronized.
Cyber Breach Severity has Increased, But Breach Responses Aren’t Fully Coordinated
Breach is an area of privacy that tends to get a lot of attention from corporate management, consumers and regulators due to its often very public nature. What is surprising, given the frequency and impact of corporate incidents and breaches, is that organizations have not yet achieved a level of maturity in their response enabling them to present a documented, repeatable and defensible approach that demonstrates due diligence to stakeholders. Instead, most organizations are attempting to implement response and mitigation with portfolios of disjoint tools, manual processes and ad-hoc approaches.
Because of this approach, organizations are slow at identifying incidents that meet the threshold as breaches. Poor and incorrect communication across all levels of the organization, and teams constantly reinventing the wheel, put the organization at risk of liability and possibly litigation.
Over the last five years, serious data breaches have occurred with increasing frequency. The publicity surrounding the infamous Sony, Equifax and Capital One breaches compounded by the actions of privacy advocates, have shown that regulators and the public are holding organizations to a higher standard.
Incidents can no longer be managed as a one-off because they can be the signal of many issues that could turn into a much bigger problem
Organizations face several additional challenges when law enforcement and other bodies are involved, which may impact their ability to meet the notification timelines. This is due to the nature of the investigations and stakeholders involved. Additional consideration needs to be given to the ‘no notice’ scenario. In order to make a defensible decision not to give notice, enough information must be collected and documented in order to allow for that decision to be justified. This is an explicit obligation under some laws (such as Canada’s mandatory breach reporting framework) but is implied under any breach regime.
Additional complications arise from contractual obligations that may have stricter timelines and definitions than found in legislation. In many business-to-business contexts, the client organization (“data controller” in EU parlance) has the obligation to provide notice, within a limited period of time, and must rely on their service provider (“data processor”) to be notified of events. Careful consideration must be given to the imputed knowledge of the client in this context. The EU regards its 72-hour period for notification to a regulator as a starting point when a data processor becomes aware of the event. Therefore, clients’ contracts typically demand 24 or 48 hours notice (if not immediate) of an event in order to meet their own obligations.
Regulatory Fines Have Increased & Are Receiving Board Attention
Fines for data breaches have increased in the past few years. More and more regulations stipulate fines as a proportion of the organizations’ revenue. In addition to the privacy regulators, there are other forces at play, such as cybersecurity and competition law regulatory regimes which can also impose fines for the same breach. Yet executives tend to focus on the risk of fines instead of what the breach states about the organization’s ability to manage regulatory data risk. So, do breaches get the right kind of attention or are they being treated with a band-aid?
When it comes to data breaches, organizations face the compounded pressures of warding off legal action, demonstrating due diligence internally, and complying with multiple breach notification laws. The only approach that puts businesses in a winning position is to get the entire breach management and response process planned, organized, and documented in advance, to execute it diligently, and then to continuously improve it.
A well-defined, repeatable process with set steps assigned to the appropriate stakeholders empowers the organization to meet the specific pressures and timelines of a breach response. The obvious benefits to implement such an approach is consistency and to reliably demonstrate that the organization was prepared. Accurate execution shows that training and resources were properly allocated as part of a plan and were not an afterthought.
Automation & Breach Response Orchestration Are Key
Given the tight deadlines that often accompany breach notification laws, in-house legal teams facing an incident must act quickly to understand the scope of the breach, how it occurred, what information was affected, and the stewards of the affected data. With all of the activity involved, it is again incumbent upon Legal to coordinate the response process if privilege is to be established and maintained (more on that later). Properly orchestrating and communicating the notification process will be key helping to establish defensibility during breaches and other cyber incidents.
Depending on the nature of the breach, a company may have to notify regulators or customers whose data has been breached, and report and retain records of their investigation of the breach for specific timeframes. The exact requirements depend on the jurisdictions in which the violations occurred and statutes that govern the breached data. The decision to report on incidents is often a combination of objective and subjective considerations—including in determining the true severity of the incident. Given the range of potential outcomes, it’s important to build a notification process that courts regard as reasonable and defensible. Like any other effective program at your organization, the keys lie in people, processes, and technology—and there’s a lot of savings for companies that invest in their incident and breach response teams, workflows, and platforms. While the notification process tends to be the lowest-cost aspect of a data breach for organizations, expenses still average about $240,000, according to IBM’s Cost of a Data Breach report. A basic outline of a breach response might look something like this, but with depth that may stretch into several potentially-conflicting statutes:
- Validation of the data breach
- Identifying remediation requirements, including compliance with breach notification regulations in differing jurisdictions—which could include multiple dozens of reporting and notification requirements, timelines, definitions of personally identifiable information, and other conditions
- An investigation into the breach, with documentation
- Internal communication and coordination with appropriate authorities and outside counsel, as needed
- Notifying the data subjects of the breach, when required
Organizations are expected to manage multiple legal, regulatory and compliance obligations and be able to demonstrate how they responded to an event that may affect potentially a large number of individuals in more than one jurisdiction. With a strong regulatory network, actions taken by an organization in one jurisdiction and the ability to demonstrate that those were appropriate, can set a good or bad precedent for the aftermath of a breach.
Cyber Breach Response Project Management:
- Create a central project tracking mechanism early on, and the appropriate awareness with employees to report any event that contravenes your policies
- Allow the IT and cybersecurity teams to conduct their own investigation and follow their process to maintain chain of evidence custody and not interfere with forensics
- Appoint a Project Manager (PM) and give them the mandate to take charge and verify whether an event is an incident or a breach as not all incidents will become breaches and be subject to extensive breach reporting and notification laws
- Record events part of a log because many regulatory authorities expect it. The added advantage is that a log can inform senior management as to root causes and these can be early indicators into some misunderstood practices which can be corrected
- Guide employees through the process because employees will not know what incidents and breaches are, but they will likely know what they must do at the right time, if they are engaged and feel part of the process
- Verify that the employees involved in the incident response process record the steps they took to answer to the obligations, to understand, investigate and ultimately repair the cause of the breach. Such a track record is invaluable in the eyes of an auditor or regulator
Strengthen the Defensibility of Your Cyber Incident & Breach Response Management:
- Document the legislative requirements that apply to your organizations
- Document the facts in the light of all the applicable legal obligations (consider law enforcement, works councils, etc.)
- Document the process by which the analysis of the event has led to conclusions of notice (or no notice)
- Document the timeframes for which respective parties are required to be given notice
- Retain evidence that notice has been given, with the requisite information and in the form required by regulators
- Record and manage the interactions with the parties who have been given notice
Practical Ways to Establish & Maintain Privilege After a Cyber Event
Though cybersecurity case law is still a bit fuzzy, establishing a reasonable, repeated process for handling a breach can help during litigation. Repeatable processes showcase that the business has a plan for incidents such as these, while ad hoc processes tend to be less effective in showcasing defensibility. The Sedona Conference has outlined the following steps that should be taken to protect communications and documents that have been created as a result of a data security incident, thus helping in-house counsel to preserve privilege:
- Proactively involve outside counsel in pre-incident activities that involve cybersecurity or other IT assessments being developed at the direction of the law firm, to help prioritize security controls based on legal and regulatory risks.
- Ensure that documents created by the business’s employees are done so at the direction of outside counsel solely for the purpose of assisting in how they advise the business.
- Get specific IT vendors and forensics investigators on a retainer for the sole purpose of assisting outside counsel in advising the business of their legal obligations, rather than as a substitute for the business’s IT employees.
- Don’t disclose assessments, analyses, or forensics reports to other third parties, either purposely or accidentally. Use secure communications portals.
- Understand that documents may still be disclosed if privilege is waived or if the opposing party is able to prove that they need the information.
Managing incidents and data breaches is a key responsibility of the privacy compliance team. The regulations about breach determination and response are stringent, and require a well-orchestrated, multijurisdictional response. Organizations that have automated incident and breach management that coordinates their legal, compliance, privacy and investigation teams are able to meet their deadlines, get better results, and avoid costly repercussions