Best Practices for Advising Clients on Cyber-Security
By Amanda Marie Baer and Kenneth C. Pickering – March 13, 2013
Data breaches are quickly becoming one of the biggest threats faced by businesses. The sophistication and frequency of attacks and the volume of records compromised continue to escalate. Janet Napolitano, secretary of the Department of Homeland Security, recently testified that public and private computer systems face a dangerous combination of known and unknown vulnerabilities from which no industry, community, or individual is immune. Securing America’s Future: The Cybersecurity Act of 2012: Hearing Before the S. Comm. on Homeland Sec.,112th Cong. (2012).
A data breach can devastate a company by damaging its reputation and imposing significant direct costs, such as penalties, and indirect costs, such as lost customers and productivity. In 2012, data breaches affected companies across the country, including AOL, LinkedIn, Google, Zappos, and Massachusetts General Hospital. Data breaches also impacted non-profits, such as the Massachusetts eHealth Collaborative, a 35-person organization that spent over 600 employee-hours and $300,000 in fees to respond to the theft of a single laptop.
Almost every company maintains information that identifies customers or employees, such as Social Security numbers or credit-card data. As companies increasingly store personal information electronically, they simultaneously increase their vulnerability to security breaches. By planning in advance, companies can minimize the risk of a data breach and the substantial costs and impact imposed in the event a data breach occurs.
Six Steps to Guard Against a Data Breach
1. Audit. Companies must conduct an audit to develop a clear picture of their vulnerabilities. As a critical component of this audit, companies should track the personal information they collect to understand who the information is collected from, the method(s) by which the information is received, where the information is stored, and who has (or may have) access to the information. In addition, companies should audit their physical equipment, such as laptops and flash drives, to develop an inventory of the equipment and assess the security of each piece.
2. Data classification. After completing an audit, companies should classify the personal information they collect and store according to the level of criticality and sensitivity. The most well-known data-classification scheme is used by the U.S. government, which classifies information pursuant to the top secret/secret/confidential/unclassified scheme. Regardless of the exact schematic employed, the scheme should detail data ownership, security controls, and data retention/destruction requirements for the personal information at each level.
3. Limit data access. By limiting employees’ and vendors’ access to personal information, companies can minimize the scope of losses and establish a level of accountability. To limit access, companies can (a) password-protect data; (b) scan outbound email for attachments; (c) scan data copied to removable drives and backup systems; (d) manage devices by encrypting and tracking them and ensuring that they may be remotely wiped of data; and (e) establish policies to automatically revoke access upon an employee’s termination or resignation.
4. Establish data logs. If a data breach occurs, it is important for companies to have data logs that allow a forensic investigator to determine the scope and cause of a data breach. Data logs are records of events created by a computer program that provide an audit trail. Data logs, such as web, client and server, operating systems, application, firewall, and mail and intrusion detection system logs, should be in place, maintained, and tested.
5. Security systems. Both physical and electronic security systems are necessary to protect against data breaches. Despite the public attention given to electronic data breaches, many data breaches occur when physical paper documents or computers are lost or stolen. To guard against physical breaches, companies can take steps such as storing all documents and equipment with personal information in a locked area with limited access, implementing access controls to the company, maintaining offsite storage facilities, and using overnight-shipping services that allow companies to track delivery.
There is an array of technologies that companies can use to guard against electronic breaches, and the development and availability of new technologies is being continually driven by increased data-security regulations. Many technologies, such as data and disk encryption, firewall protection, encryption of wireless routers, default disabling of shared folders, identity-verification security questions, browsers with phishing and malware protection, and email verification, are widely available and should be used by all companies.
6. Data-breach-incident plan. Companies should develop a data-breach-incident plan that can be used to quickly respond to a data breach. Once a plan is developed, companies should train key management and employees and periodically evaluate and update the plan.
Five Steps to Respond to a Data Breach
By taking steps to guard against a data breach, companies can mitigate their losses and minimize the direct and indirect financial and reputational costs incurred in the event a data breach occurs.
If a data breach does occur, it can impose significant financial and reputational costs on a company. The Ponemon Institute reported that cyber-security breaches cost companies an average of $194 per compromised record, and $5.5 million per breach. Companies must take immediate action in the aftermath of a cyber-security breach.
1. Confirm and contain. Determine the scope and cause of the breach. Details regarding the breach inform how the company must respond to prevent further intrusion and determine which records have been compromised. Data breaches range from orchestrated attacks on a company’s computer system to the loss or theft of storage media or computers. Companies must also be mindful that actions taken to respond to a breach could destroy information relevant to pinpoint the nature and cause of the breach itself.
2. Notification obligations. Companies must immediately determine if they are subject to federal and/or state notification requirements. Reporting requirements depend upon the type of information held by the company and the scope of the breach. Forty-six states impose reporting obligations in the event of a security breach. Federal laws containing reporting obligations include:
- Health Insurance Portability and Accountability Act (HIPAA);
- Health Information Technology for Economic and Clinical Health Act (HITECH Act);
- Gramm-Leach-Bliley Act;
- Federal Trade Commission Act; and
- Fair Credit Reporting Act.
Business partners: Because data is routinely shared between business partners, a data breach at one company can affect a number of other companies. Many contracts now require that business partners be notified of a data breach. Likewise, companies must be prepared for a data breach at any one of their business partners.
Individuals: Notification to individuals whose personal information has been compromised is often, but not always, required. However, where sensitive information has been released, early notification to individuals allows the individuals themselves to take steps to mitigate the breach.
3. Insurance coverage. Companies should review all insurance policies to determine if and to what extent the company is covered for a cyber-security breach, and when and how to file claims. Companies can hedge the risks of a cyber-security breach by purchasing specific data-breach insurance known as “cyber liability insurance” or “cyber risk insurance.” Similar to any insurance plan, coverage varies, but may include coverage for regulatory fines and penalties, class-action lawsuits, and response costs.
4. Remedial actions. Companies should consider providing individuals whose financial data has been compromised with credit-monitoring services, identity-theft insurance, and/or replacement-card fees. Courts are beginning to hold companies responsible for customer costs resulting from a data breach. By offering immediate support to affected individuals, companies may avoid costly lawsuits and negative press coverage.
5. Customer inquiries. Once individuals are notified that they may be affected by a data breach, it is important to provide them with a means to contact the company with questions. To help restore confidence with individuals affected by the breach, companies should consider establishing a call center to respond to inquiries, and posting information and responses to frequently asked questions on a dedicated webpage.
Preventing a breach by the implementation of thoughtful cyber-security policies is the best outcome. But responding quickly, being as transparent about the breach as possible, and providing timely customer support are the keys to successfully managing a data breach if one should occur.
Keywords: criminal litigation, data breach, cyber attack, computer security, incident plan, personal information, electronic storage, notification obligations