Experts agree that security incidents and data breaches have become an everyday cost of doing business. The Verizon 2017 Data Breach Investigations Report analyzes over 40,000 security incidents and more than 1,900 data breaches across 20 industries. Massive breaches, such as Sony, Anthem, and Target have made headlines for months. However, smaller organizations are also at risk. An 18-bed county hospital in Illinois made news when hackers threatened to make 12,000-plus patient records public unless the hospital paid a ransom. No company, regardless of size or industry sector, is immune to privacy/security incidents and data breach.
Data breaches are costly to both companies and their customers. According to the IBM-sponsored 2016 Cost of Data Breach Study: Global Analysis by Ponemon Institute, the average total cost of a data breach for participating companies grew 29 percent in the past two years to $4.0 million. The price of a breach, of course, extends beyond immediate response costs to business disruption, regulatory fines, lawsuits, customer churn, and brand damage, the effects of which can be felt for years to come. For customers whose data was compromised due to a breach, identity theft in all its forms is also a concern. The Ponemon/Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, found that medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014.
Much of the media focuses on the security aspects of incidents and data breach. Yet privacy and compliance officers have just as critical a role in mitigating the potential harms from incidents and data breaches as their information security counterparts. Companies must understand and abide by complex, even conflicting regulations when responding to incidents and managing breach notification. The failure to do so increases the likelihood of greater regulatory scrutiny and punishment, as well as for more and worse harms to customers. This article provides compliance officers with an overview of the cyber risk environment, as well as organizational barriers to overcoming these risks; a discussion of the regulatory landscape and how it applies to incident response and breach notification; and, finally, best practices and a 12-step checklist for responding to incidents and managing data breach notification in a caring and compliant manner.
The Cyber Risk Environment
Cyber threats to regulated data are wide ranging, and include, but are not limited to:
Employee negligence or carelessness
Lost or stolen devices
System or application glitches
Organized crime rings
These threats, which put data at risk for unauthorized exposure and possible data breach, are exponentially greater in a world where data is no longer contained within the security perimeter of a single organization. Scott Johnson, who leads Unisys’s Stealth security solution and product strategy, cites three reasons for this so-called “vanishing perimeter.”
The exploding volume of easily accessible data. Johnson cites an IDC estimate, that in 2015 “there will be approximately 2 exabytes of enterprise level unstructured data available…. One exabyte of storage could contain 50,000 years’ worth of DVD-quality video….”
The number of “access types,” including the 7 billion mobile devices. Cloud computing, too, alters the way data must be secured.
The “increased sophistication of the attackers and the attack types.”
Finally, companies are struggling with the growing rate and complexity of cyber attacks. According to John Riggi, Section Chief of the FBI’s Cyber Outreach Section, Cyber Division, noted that cyber threats by both nation states and organized crime are growing, most typically from Eastern Europe, Russia, China, and Iran. “There are two kinds of big companies in the United States,” James Comey, director of the FBI, has said. “There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
The motivation behind these attacks is not always clear. Certainly there is a monetary incentive. Forged identities are one of many commodities for sale on the so-called Dark Web. Medical records, in particular, are attractive to criminals—they can access a patient’s name, DOB, Social Security and insurance numbers, and even financial information all in one place. “Credit cards can be, say, five dollars or more where PHI records can go from $20 say up to—we’ve even seen $60 or $70,” said Jim Trainor, the FBI’s deputy assistant director. In fact, criminal attacks on medical records are up 125 percent since 2010 and are the new leading cause of data breach in healthcare, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute shows.
Other reasons for cyber attacks are more obscure. The most recent Sony breach, for instance, is still believed by many to have been a result of a government-sponsored cyber-attack by North Korea to stop release of the film “The Interview,” but the damage went far beyond hurting sales from a single film. In fact, the breach became a model of many of the new risks surrounding cyber attacks and the resulting data breaches: disruption of business operations; intellectual property theft; public embarrassment; and damaged relationships with business partners, clients, and employees. With the Anthem breach, there was speculation that organized cyber-criminals may hold medical records for ransom, demanding payment for not releasing the information online or to other criminal groups.
Organizational Barriers to Overcoming Cyber Risks
Unfortunately, many organizations lack the ability to detect and mitigate cyber threats in a timely manner. For example, risks are often addressed on a departmental level, rather than an organizational one. This is especially true for privacy and security teams, who often focus their efforts on certain aspects. Information security, for example, may overlook the human factor when it comes to safeguarding sensitive data. However, the Ernst & Young’s Get Ahead of Cybercrime: EY’s Global Information Security Survey 2014, revealed that 38 percent of respondents said employee carelessness or lack of awareness was the primary threat “that increased risk exposure.”
In addition, incident response and related activities are not a priority. In a Lancope-sponsored Ponemon Institute report, Cyber Security Incident Response: Are we as prepared as we think?, half of the IT and IT security professionals surveyed said that less than 10 percent of their security budgets go to incident response. Most respondents said budgets for incident response have not increased in the past two years. And according to the Ernst & Young report, only 33 percent of organizations surveyed plan to increase spending on their incident response capabilities this year as they did the previous year. This, even though the Identity Theft Resource Center notes a 25.9 percent increase in data breaches over the same time period as the previous year.
A shortage of qualified staff also hinders an organization’s ability to launch an effective response strategy. The Ponemon Cyber Security Incident Response report found that many members of a computer security incident response team (CSIRT) are qualified to do the job; however, less than half of respondents said that those team members participate in ongoing, specialized training. In addition, 45 percent said their CSIRT has no full-time employees. Similarly, more than half those surveyed for the Ernst & Young report said their organizations are “challenged by a lack of skilled resources.”
On a related note, the Cyber Security Incident Response report cited a lack of communication between security and senior executives as another problem—80 percent of respondents said they don’t often discuss potential cyber-attacks with executive management, and only 14 percent said their executive management participates in the incident response process.
The Difference Between Security Incident and Data Breach
The growing cyber risk environment coupled with organizational challenges in addressing these risks make security incidents and data breach a fact of life. These incidents pose many regulatory challenges for compliance officers. Perhaps the greatest of these is misunderstanding the difference between a security or privacy incident and data breach. Such confusion seems inevitable, given the many variations of these terms. For example, these terms have been used interchangeably or even together, as in “data breach incident.” Such an understanding, however, is critical to minimizing data breach risks and mounting a compliant response that meets state, federal, and international regulations.
A security or privacy incident is a violation of an organization’s security or privacy policies involving sensitive information such as social security numbers or confidential medical information. These can range from a lost thumb drive to missing paper files to “sophisticated data attacks,” such as those associated with the Anthem and Sony breaches. Data breach, on the other hand, is a security (or privacy) incident that meets specific legal definitions as per state and federal breach laws. Data breaches require notification to the affected individuals, regulatory agencies, and sometimes the media. Only a small percentage of these privacy or security incidents escalate into data breaches. As noted earlier, the Verizon 2017 Data Breach Investigations Report covered 40,000 security incidents but only 1,900 confirmed data breaches—approximately 4.8 percent of security incidents.
The relatively low ratio of breaches to incidents may cause companies to “play the odds,” and not treat each incident as a potential breach. In so doing, they assume substantial risk if they fail to notify customers whose data has been exposed, and if such exposure leads to identity theft or other types of fraud. The failure to notify regulators of a breach may result in costly fines, penalties, and lengthy corrective action plans (CAPS). To minimize these risks, compliance officers need a standard, repeatable process for assessing the data that was potentially exposed to determine whether or not the incident represents a data breach under the law. Only then can it be safely decided if notification is required or not.
The Complex Regulatory Environment
Given the sometimes-conflicting definition of “incident” and “breach” as well as the various notification requirements among the different laws, there is a great likelihood that many data breaches go unreported. For example, 47 states, the District of Columbia, and three territories have enacted their own breach notification laws. These laws vary and can even conflict. What may be “only” an incident in one state could be a reportable data breach in another. According to one law firm, “…there is a pressing need to simplify data breach laws. The current patchwork of state laws presents an economic and technical challenge for businesses and consumers, and a headache for compliance counsel.” In an attempt at clarity, President Barack Obama proposed the Personal Data Notification & Protection Act, which would establish nationwide rules for data breach notification and preempt the state laws.
On the federal level, different laws govern different types of data: Health Insurance Portability and Accountability Act (HIPAA) for healthcare, and the Gramm–Leach–Bliley Act (GLBA) for financial services. Internationally, the European Union is advancing its data protection directive. In 2014 the Court of Justice of the European Union issued a ruling on the “right to be forgotten,” in relation to online search engines.
Each state and federal jurisdiction, conflicting or not, requires a separate incident assessment, which, as mentioned earlier, is the process of determining the facts of an incident against applicable laws to see if the incident meets the legal definition of a data breach requiring notification. This is a difficult challenge for a compliance officer whose organization experiences an incident that spans multiple jurisdictions. For example, a financial services company in New York may have an incident potentially exposing sensitive client data. The company would have to perform a separate incident assessment for every state in which the affected clients live, as well as to regulators specified by GLBA or other federal regulators. In addition, each state and federal jurisdiction may also have its own notification specifications. Whatever assessment or notification requirements there are, the burden of proof always rests with the organization, not the regulators.
Best Practices for Responding to Cyber Incidents and Managing Data Breach Notification
Compliance officers and other responsible executives need to plan their organization’s incident response and breach notification processes carefully, to mitigate potential harms from data breach and ensure regulatory compliance. The following best practices can help organizations successfully meet the challenges of responding to incidents and providing breach notification, and form a backdrop to the 12-step response process discussed at the conclusion of this document.
Best Practice 1: Make incident response and data breach notification a cross-functional effort.
As mentioned earlier, there can be departmental breakdown when responding to an incident or data breach. Security may see incident assessment as a privacy function. The complex nature of incidents and data breach encompasses more than regulatory expertise, however. It includes understanding the technical aspects of an incident—the nature and severity of an incident, the nature and sensitivity of the affected data, remediation steps, etc. Effective incident assessment bridges the gap between the technical and legal aspects, so compliance officers and security professionals can accurately determine if an incident is a breach that legally requires notification. This same type of cooperation is required during all phases of incident response and breach notification, and from all departments: IT, information security, privacy, legal, public relations, and among external partners, such as insurance brokers or breach services providers.
Best Practice 2: Develop and test an operational plan for managing incident response and breach notification.
It is not uncommon for companies to take ad-hoc or unproven approaches to incident response and breach notification. Evolving threats and the ever-growing number of incidents make this a dangerous practice. Thus, compliance, privacy, and security professionals must create consistent, scalable and repeatable processes for both managing incident response and providing breach notification. Consistency ensures best practices are made “operational” and legally defensible. These processes should also be flexible and scalable as the nature and volume of incidents and breaches change.
Incident response and breach notification plans should be tested on a regular basis, and be updated as needs change. For example, tabletop tests may occur monthly, while full-scale testing can be a quarterly or annual activity. Of critical importance is defining roles and responsibilities to internal staff as well as external partners. These tests should involve all relevant departments as well as a member of the executive staff.
Best Practice 3: Invest in a relationship with an experienced privacy counsel combined with appropriate software tools for managing incident response and breach notification.
The many variables of an incident make developing an operational process difficult. Some of these factors include:
Multiple state and federal laws for breach notification.
The technical nature of an incident, including the security measures taken to contain the incident.
The overlapping nature of the incident assessment, which relies on information security, privacy, and compliance input to be accurate.
The fact that the burden of proof rests with the organization, not regulators. The organization must determine, using the incident assessment process, if an incident is a data breach, and then defend its position with documented evidence.
Your privacy counsel will maintain familiarity with the myriad laws and regulations that come into play in the calculus for a data breach response. They also are close to and familiar with the relevant regulators and attorneys general, which places them in an excellent position to provide their clients with appropriate guidance in evaluating cyber incidents as to whether they represent a notifiable data breach, and if so, how best to manage the notification and response content and process.
To complement privacy counsel, your incident management team must use appropriate tools to capture and maintain the relevant information for all cyber incidents, whether they become data breaches or not. This level of rigor is most important for corporate security and privacy teams in order to put them in the best position to reply to and defend any inquiries from regulators and prosecutors.
12 Steps to Successful Incident Response and Data Breach Management
With these best practices in mind, companies can follow this 12-step checklist to help them respond to incidents and data breaches in a manner that complies with regulations and best protects the organization and potential victims. The 12 steps can be broken down into these four phases of the response process: Discover, Analyze, Formulate, and Respond.
Step 1: Gather incident facts. Collect and produce the relevant data for analysis.
Step 2: Examine the data to determine the facts of the privacy or security incident.
Step 3: Document all findings using a clear, defensible method that can be upheld in courts of law and enforcement agencies.
Step 4: Perform an incident assessment to determine whether the security or privacy incident meets the legal definition of a data breach that requires notification.
Step 5: Stay current with the latest federal, state, and international laws regarding breach notification. Compliance and privacy officers must analyze the findings of the incident against these laws to determine if it is a data breach.
Step 6: Prepare to meet the burden of proof to inform regulators of the reasons to provide notification or not.
Step 7: Engage appropriate outside partners, such as outside counsel, insurance broker, and breach services provider.
Step 8: Tailor notification and response to the specifics of the breach, such as demographics, customer relationships, and risk information of the affected individuals.
Step 9: Ensure that the response is complete to best protect the affected population and meet regulatory requirements.
Step 10: Provide notification to affected individuals, regulatory agencies, and the media as required by law.
Step 11: Enroll in identity monitoring and protection for potential victims.
Step 12: Provide victims of identity theft with recovery services.
Data breaches are growing in size, complexity, and frequency, and so are the harms to companies and affected individuals. The nature of data—both its accessibility and its volume—is increasing exponentially, making it ever more susceptible to cyber attacks and other threats. As a result, security incidents have become an inevitable cost of doing business. Yet, companies may lack the expertise and resources to manage these incidents. From a compliance perspective, it can be difficult to differentiate between an incident and data breach—putting organizations at even greater risk for such breaches. Numerous, conflicting breach notification laws and the technical nature of incidents require compliance, information security, and other departments to work together to mount an effective response. To succeed, companies need to develop a cross-functional, operational capability that can guide them through every phase of incident response and data breach management: discover, analyze, formulate, and respond. In this way, they will demonstrate compliance and due diligence to regulators, and protect their own well-being and the well-being of the customers they serve.