Association of Information Technology Professionals
San Diego Chapter
Cyber Liability Event, San Diego, California, July 23, 2014
Data Breach Readiness and Follow-up: Being Prepared for the Inevitable
Presentation by Beth Givens, Executive Director, Privacy Rights Clearinghouse
Thank you for the opportunity to participate in this discussion on data breaches this evening.
I’m Beth Givens of the Privacy Rights Clearinghouse. We are a nonprofit organization located here in San Diego and were established 21 years ago. We are a kind of “Dear Abby” of privacy and invite questions and complaints from individuals about a wide variety of privacy issues, primarily in the private sector.
Examples of topics that we cover are: Internet privacy, smartphones, medical records privacy, credit reports and financial privacy, workplace issues, employment background checks, and so on. We have a very large website containing consumer guides on such topics.
One of the most popular sections of our website is our Chronology of Data Breaches. Since 2005 we have been keeping track of data breaches in an online database. We have categorized and summarized nearly 4,500 data breaches, and enable users to search and sort this very long list in order to retrieve, for example, medical breaches only, breaches in the education sector for specific years, breaches in the past year that are the result of hacking, and the like.
I mentioned that our breach list numbers nearly 4,500 incidents. For those breaches in which they know the number of breached records – which is the minority of breaches, by the way – the number of records is nearly 900 million.
Even though our data base of breaches is large, I believe it is just the tip of the iceberg – it by no means is inclusive of all U.S. breaches.
I think all of us here know full well that any of our organizations could experience a security breach at any time. It’s not a matter of IF – rather, it’s a matter of WHEN a breach will happen.
And breaches can have catastrophic consequences for the company, the organization, the government agency, the university. A huge one is cost. A joint study by Symantec and the researcher Larry Ponemon reported in their 2014 study that when you add up all the costs, a data breach can set you back as much as $200 per compromised record. So if you have a database of, say 10,000 records, your cost would be $2 million. And that would be considered a rather small breach, relative to the many that we’ve been tracking over the years.
In a worst case scenario, a data breach can cause a company to go out of business.
Another huge consequence is the public relations damage that an organization experiences. Your reputation can take a huge hit. Just think of the Target breach. You don’t want to have to do what Target did early this year which was to take out a full page ad in newspapers across the U.S., explaining what happened, apologizing and promising to do better.
And of course you don’t want your clients or customers to end up becoming victims of identity theft because of a breach. This would damage your reputation even more, and would be a most unfortunate outcome for these individuals. A recent report by Javelin Strategy and Research found that nearly one in three data breach victims in 2013 also became a victim of fraud, such as identity theft, that same year.
That’s why I’m focusing my remarks on the importance of having a well-developed Incident Response Plan already prepared in advance -- so you are prepared when a breach does occur. And this is just a very brief overview. I’ll mention an excellent resource on this topic in closing.
FIRST: The development of an Incident Response Plan is a team effort and must come from the very top of the organization. The leader should be someone at the executive level. The Board should also be briefed. In addition to someone from the executive level, the team should be comprised of someone from each internal department. In addition to the executive level, this would include:
- the IT staff, of course, but in particular those with access and authority to key systems for analysis and backup
- policy expertise, such as someone from the legal department who is knowledgeable about, among other things, the California data breach notice law
- someone from the communications division, and if there is no such department, someone who can act as a spokesperson for the organization with the media and other outside entities
SECOND: The team must include the “first responders”, as well. These are individuals who can be notified 24/7, and who can quickly be called upon to set the Incident Response Plan in motion in case the worst happens and your organization experiences a breach. There should be a contact list for access to these first responders in the hands of everyone on the team. This must include after-hours contact numbers.
THIRD: Don’t wait until a breach happens to seek out contacts with key vendors and law enforcement.
Do some research and form a contractual relationship with a company that is experienced in response management. And by the way, there are several such companies who specialize in breach response.
- This company could, if you needed outside IT expertise, provide technical analysis of the incident and help you determine compliance requirements.
- It would also manage all your notification requirements. It would set up a call center and manage calls and emails from those affected by the breach who want additional information. The establishment of a specific web page dedicated to breach-related information is another one of the tasks this company could provide.
Also, determine the law enforcement contacts you will need to notify if you experience a breach. Make contact with them and establish a relationship before you need them.
Along those lines, be familiar with your regulatory environment. Here in California, breaches must be reported to the Attorney General. They have a very good data breach reporting website that you should become familiar with.
FOURTH: Your Incident Response Plan should include a communications plan. This consists of all the written materials that are part of a good response.
- You will want to write a breach notification letter that you can simply fill in the blanks when the time comes to notify those affected by a breach. Your letter should comply with the level of specificity under California law.
- I already mentioned having your website content prepared in advance so that you can set up a web page right away.
- You would prepare a press release that you can simply fill in the blanks with the pertinent breach information.
- Don’t forget to include materials in other languages if your customers or clients speak languages other than English.
- And by the way, each of these written materials must be PRE-approved so that you are not wasting time when a breach occurs hunting down the higher ups who must approve your written materials.
FIFTH: Depending on the type of breach that occurs, be prepared to offer appropriate credit report monitoring services at no charge to the affected individuals. There are a number of such monitoring services. You need to be familiar with these services and which would be the most appropriate for the type of data that would be compromised if your company experienced a breach.
You will want to be able to offer the most appropriate such service to the affected individuals when you notify them of the breach. So do your homework, and have a vendor or vendors lined up well in advance of any breach.
And by the way, this is another huge cost to organizations that experience a breach.
My closing comments? Simply… Be prepared. I’ve only scratched the surface regarding the importance of developing a robust Incident Response Plan well in advance of a breach.
References and Resources:
California Attorney General, Privacy Enforcement and Protection Unit. “Recommended Practices on Notice of Security Breach Involving Personal Information,” http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/recom_breach_prac.pdf?
Cavoukian, Ann. “Privacy by Design: The 7 Foundational Principles”
-- Video presentation, http://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/
-- Privacy by Design: The 7 Foundational Principles (report, Jan. 2011), www.privacybydesign.ca/content/uploads/2009/08/7foundationalprinciples.pdf
-- “Getting to the Essence of ‘Cyber’: A Security Model Proposal for Privacy by Design (PbD)”.
-- “What REALLY Matters in Cyber Security”
Federal Bureau of Investigation resources
-- Computer Intrusions, http://www.fbi.gov/about-us/investigate/cyber/computer-intrusions
-- IC3 description, http://www.ic3.gov/media/IC3-Poster.pdf
-- Cyber’s Most Wanted, http://www.fbi.gov/wanted/cyber
-- The Nation’s Cybersecurity, http://www.fbi.gov/about-us/investigate/cyber/addressing-threats-to-the-nations-cybersecurity-1
-- iGuardian Intrusion Reporting Platform, http://www.fbi.gov/stats-services/iguardian
-- Cyber Crime, http://www.fbi.gov/about-us/investigate/cyber
Javelin Strategy & Research. “2014 Identity Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends,” (Feb. 2014) www.javelinstrategy.com/brochure/314
National Institute of Standards and Technology (NIST) http://www.nist.gov/cyberframework/
-- Cybersecurity Framework, “Framework for Improving Critical Infrastructure Cybersecurity” (Feb. 12, 2014) http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
-- “Guide for Applying the Risk Management Framework to Federal Information Systems,” (Feb. 2010) http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
Online Trust Alliance. “2014 Data Protection and Breach Readiness Guide.” (April 7, 2014) www.otalliance.org/system/files/files/best-practices/documents/2014otadatabreachguide4.pdf
Payment Card Industry Data Security Standard, https://www.pcisecuritystandards.org/
NOTE: Businesses that handle payment card data must become compliant with the
Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0) by December 31, 2014.
Pew Research Center Survey. “More online Americans say they've experienced a personal data breach”, (April 14, 2014) http://www.pewresearch.org/fact-tank/2014/04/14/more-online-americans-say-theyve-experienced-a-personal-data-breach/
Privacy Rights Clearinghouse:
“Chronology of Data Breaches.”
“How to Deal with a Data Breach.”
“Data Breaches: Know Your Rights.” Video: 4 minutes.
Saikali, Al. “The Target Data Breach Lawsuits: Why Every Company Should Care.” (Dec. 20, 2013) http://www.datasecuritylawjournal.com/2013/12/30/the-target-data-breach-lawsuits-why-every-company-should-care/
Symantec and Ponemon Research. “2013 Cost of Data Breach Study: Global Analysis.” (Feb. 2014) http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-2013
U.S. House of Representatives, Energy and Commerce Committee. “Protecting Consumer Information: Can Data Breaches Be Prevented?” (Feb. 5, 2014)
-- Televised hearing, http://energycommerce.house.gov/hearing/protecting-consumer-information-can-data-breaches-be-prevented
-- Transcript, https://www.hsdl.org/?view&did=750769
U.S. Senate, Committee on the Judiciary. “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime” (Feb. 4, 2014)
-- Links for hearing video (3 hours) and testimony/statements of committee members and witnesses. http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data-breaches-and-combating-cybercrime
-- Testimony of Chairperson Edith Ramirez, Federal Trade Commission, http://www.ftc.gov/system/files/documents/public_statements/prepared-statement-federal-trade-commission-privacy-digital-age-preventing-data-breaches-combating/140204datasecuritycybercrime.pdf
Verizon 2014 Data Breach Investigation Report. (Feb. 2014), www.verizonenterprise.com/DBIR/2014
Wolf, Christopher of Hogan Lovells. “Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide,” (April 2012) http://www.americanbar.org/content/dam/aba/administrative/litigation/materials/sac_2012/22-15_intro_to_data_security_breach_preparedness.authcheckdam.pdf
[Resources compiled by Beth Givens, Privacy Rights Clearinghouse]