It’s 2018, and companies are still fighting governments over how to handle data breaches. Verizon just lost a bid to stop users from suing it over several data breaches at its Yahoo! online property. The state of Pennsylvania sued Uber for waiting over a year to tell customers that their personal information had been compromised, joining Los Angeles and Chicago.
Unlike many states, the federal government in the US doesn’t have a data breach notification law, but a draft bill called the Data Acquisition and Technology Accountability and Security Act would introduce one. However, it would exclude financial institutions, including credit agencies (yes, that includes Equifax) – from its requirements. It would require breach notification only if there were “a reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss.” What constitutes a reasonable risk?
Against this backdrop of confusion and retribution, Iain Paterson’s talk at SecTor 2017 could not have been timelier. In November, he described how to respond to a data breach properly, drawing on his own experience as managing director of offensive and defensive cybersecurity services company Cycura.
Preparing for a breach
The basic building blocks for incident response are the same, Paterson says. Companies move through a series of activities, beginning with discovery and identification of the breach. They progress through triage (prioritize the threats and deal with them quickly), containment (stop the danger spreading), and recovery (rebuild affected systems and restored data). There is also a post-breach period, in which companies can learn from what happened and use the experience to bolster their defenses.
While these steps may look the same from 50,000 feet, there are some nuances when you get closer. Reactions will differ based on the kind of breach, and on the type of organization involved, Paterson says.
A ransomware attack may require a different response than the theft and publication of sensitive customer data. A company dealing with millions of customers’ healthcare information may need to respond differently than another handling seismological data from a handful of oil and gas clients.
Paterson sees some common mistakes among companies dealing with security breaches. One of them is a failure to foster the right communications at the right time. Understanding the internal and external information flows ahead of time is a must, he warns. Knowing how and when the legal team should talk to forensic experts is crucial in most cases, especially if the intent is to gather evidence for prosecution.
Another common problem is poor resource management. When someone discovers a breach, it’s all hands on deck as people scrabble to understand what happened and deal with the implications. Driving cybersecurity staff that hard for an extended period can burn them out. “Technical stars need time to rest,” he warns.
Preparing for the worst
What are the worst ramifications that a company can expect from a data breach? “If you screw up your incident response, and don’t inform the right people and don’t manage the communications and the event properly, it could be the end of the business,” Paterson warns.
Corporate death-by-breach hasn’t happened often, but there are a handful of situations in which companies have been sunk by attacks. The destruction of source code and project management firm Code Spaces, which lost access to its customers’ data after someone hijacked its AWS account, is a case in point. These are few and far between, though.
Still, reputational damage can be severe. Betraying customers’ trust by losing their data can tarnish a brand for the long term. Target, Yahoo!, and Equifax are cases in point. Data loss can also lead to long-standing financial problems. At the time of writing, Equifax’s share price was nowhere near what it had been before the September 2017 revelation of its data breach.
While lawmakers continue to debate what constitutes a reasonable risk, companies would do well to prepare their incident response strategies. When these breaches come to light, the markets can be slow to forgive those that dropped the ball.
Even though federal governments in North America could be doing more to protect citizen privacy, Europe is taking no prisoners. GDPR requires companies to maintain an internal breach register and to report breaches. Failure to do so could burden them with hefty penalties. Any company dealing with EU citizens will be liable, no matter where it is based.
For more information about dealing with a data breach, watch Paterson’s talk on the topic at SecTor 2017.