When a Data Breach Happens: Be Ready, Be Calm, and Preserve Evidence

When a Data Breach Happens: Be Ready, Be Calm, and Preserve Evidence

By Tom Hagy

When it comes to data breaches, things can get pretty complicated pretty fast. But if there are simple themes that arise they might boil down to these: Be prepared, continually make sure you are prepared, engage the right people right away, act appropriately but don’t overreact, and document everything you do as if you’re already answering to an Attorney General.

These are some of the themes that emerged during a panel discussion at a conference produced by HB Litigation Conferences LLC ―NetDiligence® Cyber Risk & Privacy Liability Forum―during a session titled “Data Breach Preparedness: The Right Way to Survive 30 Days of Hell.”

Moderated by Steven Anderson of XL Group, the panel comprised Ted Augustinos, Esq., Edwards Wildman Palmer LLP; Nicholas Cramer, All Clear ID; Richard Cheng, Kivu Consulting; Larissa Crum, Immersion Ltd.; and Ozzie Fonseca, Experian Consumer Direct. Editor’s Note: HB Litigation Conferences will produce the next NetDiligence® Cyber Risk & Privacy Liability Forum June 6 – 7, 2013, in Philadelphia. For more information, please visit www.LitigationConferences.com.

Preparation

Augustinos told the audience that 96% of breaches are avoidable even with minimal to medium levels of security. To prepare, he said, no one simply starts off with a breach policy. “It’s about getting the team together. Having forensics talk to I.T. Repeat and visit your plan and your processes. Know your insurance requirements.” Augustinos places a great deal of value in staying abreast of change. Technology changes, threats change and employees change, he said, noting that a huge part of the data security problem is related to human error. “We can’t get enough training and revisiting of processes with employees who are handling data,” he said.

Experian’s Fonseca said fire-drill-style responses have a lot to do with the company’s lack of preparation. “They didn’t have it in their plan to contact a forensic firm, to call outside counsel or to have a notification team ready to send out letters, so by the time they figure out what to do, they have already burned through maybe 30, 45 or 60 days since the breach. It can be so late in the game they are just trying to make something happen.”

“Sometimes we find their responses are clumsy, not well thought out and the client makes a decision to notify, in some cases, before they even know there has been a breach, or certainly a breach that requires notification,” Fonseca warned, adding that the qualifications and readiness of the individuals put in charge of a response plan can make a big difference in the final cost of a breach. “So many notifications happen that are voluntary. And that has a lot to do with the hasty, unilateral decisions made by one individual who wants to do the right thing without consideration of costs and consequences of such notifications,” he said.

The panel was emphatic that it does save a company money to have a plan in place.

Augustinos of Edwards Wildman noted a case in which two months went by before a company realized there was a breach, so it didn’t implement a response plan right away. “Once everyone started scrambling around there was lost time and exposure to people whose data had been breached. Regulators get much more excited when you’re telling a story that a breach happened two months before and they realize the company doesn’t have its act together. . . . Just pure lack of preparedness will increase regulatory exposure, [the risk of ] private causes of action and all kinds of problems. The other end of the spectrum is where you jump the gun, and do something before you’re ready, which usually means you’re going to end up doing it again. It increases play in the press, the blogosphere, attention by regulators―and it doesn’t help the company’s reputation. The opposite can happen when you are prepared and you’re held up in the press as a model of how to handle this stuff.”

Cramer of All Clear ID said that if you execute a plan it is always going to be much cheaper than trying to “ham fist a response and go and get three or four vendors to do a specific job here, there and every other place. Remember that whatever you do, it is going to take people, some of whom have to work overnight, to run a call-center efficiently. And it can be costly if you have to rush people into place.” He said the cost of a breach to an unprepared company is four or five times that of a prepared company.

Anxious to save money, Fonseca said large companies sometimes think they can handle calls internally because they have large call centers and high-capacity letter shops. But what they don’t realize is that “letters beget phone calls and phone calls beget concerns and then maybe legal action with many issues to address,” he said. “I cannot think of a situation where a breach involving data of 50,000 people does not benefit from expertise of outside counsel and other outside support to avoid over-burdening their resources, which carries with it opportunity costs.”

“When I think about preparation and insurance,” Immersion’s Larissa Crum added, “I think about preparation being your risk mitigation and insurance being risk transference. They are not mutually exclusive. The better prepared a company is―and has gone through a walk-through [of a breach scenario] -- even as basic as just knowing the team or having the team identified―you’re already better than 75% of the other companies out there.”

Crum urged the audience that, when faced with a breach, “respond with the end in mind.” Act as though you will be answering to the Office for Civil Rights or a state Attorney General. “Make sure you have documented all of the things that went into your decision making.” Did you engage a breach coach? Did you engage a forensic team? Document everything the whole way through notification, she said.

Premature Notifications

Cramer said there is an increase in the number of voluntary notifications, even when there is not a legal reason to issue notifications. When this happens, Cramer said, suddenly the breach becomes public and there is damage to manage. Cheng added that breaches happen all the time and aren’t necessarily in the headlines. “You can be headlined for all the right reasons and for all the wrong reasons,” he said.

Anderson asked the panel to define a fair timeline for that process.

While it depends on several factors, Crum said notification sometimes must take place in a couple of days, but generally they occur within seven. “Depending on the size of the breach, the notification will be executed in staggered waves so you’re not overloading the call center,” she said. “It’s the first few weeks when you get the most call center activity.”

Preservation

It is important when trying to fix a problem, not to obliterate information that can help mitigate your exposure.

Kivu Consulting’s Richard Cheng shared a situation in which a firm holding private personal information, or PPI, was notified by a client that the client was able to do a Google™ search on himself and see all the information the firm was holding. Panic ensued. The firm’s I.T. team determined that the cause was a Google spider— a process that Google runs across Web pages to collect information —that came in through a hole in the firewall, a hole that was later found left open so the firm’s third-party data backup service could access the firm’s server, which itself was hosted by a third-party provider. Anxious to remediate, the I.T. department implemented a process to flush Google caches relating to information on the firm’s website.

“Normally you might think you’re done at that point,” Cheng said, “but the company contacted outside entities to alert them to the breach and tried to assure them that no harm was done.” But someone on the team wanted to verified this and Kivu was asked to perform the analysis. Cheng said his team confirmed that the problem originated from a Google spider, but that in the process of remediating, the I.T. team “destroyed all of the evidence that would have told us how long the information was exposed, much less how much.” It found that the firm never paid for security services for third-party monitoring. Analysis also revealed that this was not the first breach.

“Two months prior a malicious hacker accessed the server through the same hole in the firewall. We found malware and bits of code showing that the hacker began to encapsulate data and get out,” Cheng said. “We found evidence that data was being sent to Russia.”

Augustinos said that I.T. people are good at finding a problem and fixing it, but that he, too, has seen where that process has obliterated all the forensic evidence of the problem. “Sometimes you are left knowing there was an intrusion and that someone accessed your data. In some states,” he said, “access alone is enough to trigger breach notification requirements, so you must assume everything was exposed and exported because the forensics people didn’t have the benefit of telling the I.T. people … to address the problem in a way that preserves the forensics.”

Larissa Crum of Immersion echoed the need to preserve and gather forensic information. She said sometimes breach notification services like hers are sometimes the first to be called. In that case, she asks the leading questions: Has your legal team or forensics team been notified? Too often the response is troubling, along the lines of “Well, our G.C. told us we need to notify.” Crum said that’s a “huge, huge red flag to us.”

When a breach occurs, Crum said, “you want to limit the number of people actually involved. Of 10 breaches [a notification service like Immersion] might only get brought in on three of them because, based on forensics or based on legal analysis, there ends up being no duty to notify.

The last thing you want to do is bring people like us in too soon because [notification] is not relevant. Once we find there is a duty to notify, now you’re looking at everything. What are the timelines? Which state statutes are affected? Are we dealing with the state or federal regulators or both?” “The last thing you want is a big party of people down there to start the [breach investigation] process,” Crum cautioned.

Crum later told The Advisory, “It is important to think about not only what can be done to identify and mitigate exposures but also the process to determine that an event is a data breach. It’s a data incident—not a data breach—until legal and forensics say so. Legal should always be your first call. You want your attorney to contract with a forensics provider so that all communications can remain under privilege.”

What You Should Know

Once a breach has been confirmed and a duty to notify exists, Crum told The Advisory, here are the top 10 things organizations need to know:

1. Time is of the essence. Whether the breach falls under federal regulations (HITECH) or state regulations (47) there is always a time frame where notice needs to occur. Be cognizant of what those time frames are and plan accordingly.

2. Engage a data breach response vendor. Hopefully you have vetted vendors as part of the planning process but you want to work with a vendor that understands data breach response.

3. Credit Monitoring/Identity Theft—to use or not to use. This is dependent on the information that is compromised; for example if bank account information is compromised but not Social Security numbers, an argument can be made that no monitoring is required.

4. When crafting the data breach notice, you will want to remove the phone number from the cover letter—individuals will call whatever number they see.

5. Remember to communicate in the language most common to the individuals.

6. Think about the return address. This is often overlooked but can be very important if a large number of individuals need to be notified. There is an average of 13% return rate on mail.

7. Think about the response to the response—the call center. This is the first live interaction that an affected individual has with an organization.

8. Call center—FAQs. These are the questions and answers relative to the data breach incident. It is important to review these while giving thought to the individual affected. In the example above about credit monitoring, you want to have an FAQ that addresses why credit monitoring is not being offered.

9. Call center—escalations. Make sure that organizations have the appropriate team in place to respond to calls that get escalated from the call center.

10. Respond with the end in mind—class action or regulatory inquiry. It is critical to work with a vendor that has the ability to provide documentation on every step of the notification and call center process, whether it be the results and decisions made on the address scrub or the call information at the call center.