For the past 15 years, American organizations have lived in the shadow of breach disclosure. It all began in California under SB-13861 in 2002, which mandated written notification of victims of privacy breaches of unencrypted personal data. The law covers organizations located in or doing business in California. Because California is the most populous state in the US, the effect was that nearly every sizable organization in the US fell under this requirement. Over the years, almost every state and territory in the US has enacted similar laws.2 In that time, Americans have learned a few things (sometimes painfully) about how to deal with breach disclosure.
1. Identify all your data. But America is not alone in mandating breach notification and disclosure. Notification of either the affected parties and/or the authorities will be soon required for organizations storing data of citizens of the European Union3, Australia4, and South Korea5, and many more6. Most of these laws require notification within days or weeks of first discovering a breach, so the clock is running. Successful cyber-forensic investigations and responses can be time-consuming so it’s a good idea to assume the worst and get ready in advance. Here are ten ways to do that:
When you realize you’ve been breached, the first question you’re going to ask is: what did they get? Without a tight data inventory of what is stored where, you won’t be able to answer this question. Data within an organization can quickly multiply since IT equipment facilitates easy copying by its very nature. As Internet guru Kevin Kelly has said, “ Every bit of data ever produced on any computer is copied somewhere. The digital economy is thus run on a river of copies.”7 You need to work hard to have confidence that you know where things are really stored. Over the years, a few breach reports have included statements like “they didn't think there was anything sensitive on those computers.”8
2. Get rid of whatever data isn’t absolutely necessary.
Once you have a complete inventory of your data, it’s time to go back to business and organizational management and determine what you really need to keep. Think of personal data as radioactive. Any piece of it is so dangerous that it needs to be wrapped up in expensive protections and watched. The less of it you have, the less you have to notify on if a breach happens. Whatever you destroy, make sure it’s destroyed thoroughly. Many large American data breaches were caused by improper disposal of equipment or records.
3. Encrypt whatever data is left.
Want to get off the hook for disclosure? Make sure all the personal data you’re keeping is properly encrypted at rest. If the records are stored in a manner that is unreadable, then there is a low likelihood of exposure. Most breach disclosure laws are relaxed if what is breached is rendered unreadable. Be careful, though, because encryption can be harder than it looks. You need to use acceptable, strong encryption methods and adequately protect the cipher keys.
4. Log and monitor the data.
As stated in point #1, if or when something goes wrong, you’ll need to know what was leaked and where. The alternative is having to do a breach disclosure notification on all possible data within your organization. Not only do you need to track personal data as it moves around your organization, but you need to audit log everything that touches that data. Consider the circumstances when you’ll need to review these logs. You’re usually up against a notification deadline of days or weeks at best, so the logs should be easily accessible and quickly searchable, as well.
5. Train your users.
If a breach is happening, it’s preferable that you discover it first so you can contain the damage quickly. A key thing to stress in security awareness training for users is that if they see something amiss, they should report it to Security or IT right away. A phone call from a concerned user could mean the difference between a privacy breach of millions of records over a period of months and a breach of a dozen records for a few days. Get your whole organization on board in helping you spot and contain breaches.
6. Have a plan.
As we keep saying, the notification deadlines often do not provide a lot of time for a thorough investigation. When things go pear-shaped, the right people need to act quickly, decisively, and effectively. The best way to ensure this occurs is to have a detailed plan that everyone concerned is familiar with. The plan should also include considerations for the potential absence of key personnel like the Head of Security. Lines of succession and pre-generated decision trees can be included. The plan should include response guides for common breach scenarios and cross-reference handling guides for each type of data store that’s under possible impact.
7. Have a defined incident response team.
It’s not enough to have a plan if no one is trained and authorized to carry it out. The best practice is to have a dedicated Digital Forensics, Incident Response (DFIR) team as part of your security organization. When an organization is too small to set aside those resources, then roles should be assigned and communicated to the appropriate persons. The team should have received relevant training and be granted autonomy to act. The team should also be involved in developing the incident response plan, if not owning it outright.
8. Test, test, test.
Now that you have a plan and a team, you should test them. The most effective thing to do is a full mock drill on each incident scenario using the plan with after action reviews to adjust things as necessary. If that’s not feasible, even a table read-through of the plan with all the key players can be valuable practice. In addition to testing the response plan, you should also be challenging your existing cyber defenses with penetration testing on at least an annual basis. Lastly, you should be doing inventory spot tests across your organization to make sure that no personal data lies hidden and untracked.
9. Check with your third parties.
Regardless of how you’ve outsourced a function to a third party, the responsibility and blame will still fall back on you. Every third party with direct access to personal data that your organization is responsible for protecting needs to be part of your notification program. There should be contracts in place requiring the third party to notify you immediately upon realization of a security incident involving your data. Any hosting or service providers should also be scrutinized against this entire list of processes and plans.
10. Document everything.
You’ve done all the right things and you’re ready to deal with a breach. It’s important that it all be documented. It’s always prudent to expect the best, but plan for the worst. The worst-case scenario can involve not only a terrible data privacy breach but invasive regulator inspection into your practices. You could become unlucky and miss the notification deadline or omit notification on some records. No one is perfect, and after a cyber-attack, things will be hard to discern. To prove you’ve been doing the right thing from day one, document all your work. Document not only your plans, your training, and your inventories but document the creation, the management approval, the periodic reviews, and the training attendance sessions associated with everything. You will have done a risk analysis against your cyber threats, as well, so make sure that paperwork is in order.
All of these steps will help you help prove you tried to do the right thing. You weren’t negligent, just unlucky.