A world-leading online security firm received the following from an alleged hactivist representing the notorious cyber-activist group Anonymous: “If we don’t hear from you in 30 minutes, we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code.”
Data security breaches present a crisis situation faced by a growing number of companies and organizations–both small and large–with no end in sight.
Organizational inattention to information security leaves businesses and their customers vulnerable to privacy violations, fraud, financial loss and reputational harm. Therefore, companies cannot blindly rely on their information technology staff or third-party contractors to secure sensitive data.
Ultimately, company leaders bear the responsibility to recognize the risks and take steps to prevent data loss or theft by implementing a comprehensive information security program, which includes incident response plans to minimize the adverse affects of a breach on the company and its customers.
While some studies indicate consumers are becoming numb to data breaches–because responsible companies are paying for any financial effects–legislative and regulatory bodies are becoming increasingly concerned with the solvency of companies, shareholder impact, identity theft and many other issues associated with data breaches.
Consider the case of a prominent health insurer, which in a publicized announcement recently paid $1.5 million to settle violations of HIPAA’s Privacy and Security Rules, arising from the theft of unencrypted hard drives containing protected health information of over 1 million individuals.
No industry, however, is immune to data security breaches, especially when companies or their vendors collect and store credit card data, medical records, financial records, or personally identifiable information. And, even though congressional legislation appears to be stalled for the moment, the inevitability of another high-profile data breach will most certainly re-focus the lens for greater data security scrutiny.
Verizon’s 2012 Data Breach Investigations Report revealed 855 data breaches investigated by Verizon, U.S. Secret Service, and law enforcement agencies from the Netherlands, Australia, United Kingdom and Ireland. A total of 174 million compromised records were lost in 2011.
According to Verizon, outsiders are still responsible for most corporate data theft. Organized criminals were behind the majority of breaches in 2011. Activist groups stole more data than any other group, with a somewhat different motivation behind their breaches: ideological dissent.
The Cost of Data Breach Study recently released by the Ponemon Institute in conjunction with Symantec sheds further light on the costs and causes of data breaches:
- Costs to notify victims of a breach increased in this year’s study from approximately $510,000 to $560,000. A key factor is the increase in laws and regulations governing data breach notification.
- Negligence remains the most common threat. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009. This steady trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies.
- Encryption and other technologies are gaining ground as post-breach prevention, but training and awareness programs remain the most popular. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second most implemented preventive measure as a result of a data breach, utilized by 61 percent. Both encryption and data loss prevention solutions have increased 17 percent since 2008.
- Malicious or criminal attacks are the most expensive and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act, up seven points from 2009, and averaged $318 per record, up 43 percent from 2009.
Data Breach Prevention
Many companies do nothing and hope for the best, regardless of facing governmental fines, penalties and other consequences of failing to secure data, including reputational damage and operational interruptions, relentless media coverage, employee and vendor defections, and productivity loss.
While attempted data breaches may be inevitable, preventing them is achievable. Recognizing the risks, companies must act to prevent attacks and thefts by developing and implementing a comprehensive information security program, educating employees about the policies and procedures that constitute the program, and ensuring that the company’s third-party vendors with access to the company’s information are contractually obligated to comply with the program. Critical components of any information security program include:
- Data encryption
- A records retention and destruction program
- Access controls to limit employee and contractor access to information on an as-needed basis and to authenticate users
- Physical controls, such as locks and card keys
- Technological controls, such as passwords, biometrics and firewalls
- Intrusion detection, penetration testing and vulnerability scanning
- Security assessments and audits
- Incident response plans
- Employee education and communications
Data Breach Crisis Planning
When people and profits are affected, a crisis is underway. Determining if and when to act, and in what manner, is most effectively and strategically accomplished prior to the moment of crisis.
To prepare organizations for crises and issues most likely to occur, and, as a result, improve responses to most breaches, the following outlines steps companies should consider taking to prepare for and respond to a data breach.
Crisis Vulnerability Audit
- Identify, pre-empt, prevent agenda altering operational events.
- Identify, prepare, plan for agenda altering unforeseen events.
- Prioritize by event likelihood and impact.
- Identify applicable regulatory security mandates in your industry.
- Pre-determine action plans, scenario messages, response personnel, decision-making authority.
- Determine how leaders will manage identified vulnerabilities.
- Assign operation impact values to scenarios.
- Hold quarterly exposure leadership sessions.
- Discuss new issues and progress toward eliminating previously identified exposures.
- Outline scenarios, timelines, variables, strategies, damage forecasts, messages, channels, affected audiences.
- Assemble crisis response team.
- Activate pre-determined action sequences.
- Media, message, presentation training sessions.
- Manage the situation.
- Respond and react to outside factors.
- Monitor and measure visibility, audience knowledge, attitude and resulting behavior.
- Initiate counter measures to achieve necessary changes to attitudes and behaviors.
- Rebuild an organization post-crisis.
- Identify opportunities to emerge stronger.
- Create action plan to rectify brand, credibility, reputation, stability, etc.
- Launch actions necessary to rebuild.
- Communicate about those actions.
- Measure audience attitudes and behaviors toward organization, product, service, issue, leadership, etc.
Data Breach Response
Upon becoming aware that a data breach occurred, the affected company must act quickly to contain the breach, which requires an understanding of its origin and cause.
- Consider whether law enforcement should be notified, with consideration given to contacting the FBI or the U.S. Secret Service rather than a local police department that may not have requisite resources to investigate the breach.
- Forensic analysts may be retained to investigate and remediate the breach while preserving data that may be crucial for law enforcement to pursue the hackers who committed the breach.
- Public relations professionals may be retained to handle media communications, particularly if the company is required by law to publicly report the data breach.
- Insurance policies should be reviewed to determine whether coverage may exist for damages incurred by the company directly or by third parties as a result of the data breach.
- Finally, the company’s contracts with affected customers and contractors should be reviewed to ascertain the company’s obligations to report the breach to those parties and indemnify them for any losses.
Many states have enacted data breach notification statutes that require companies to report incidents where personal information has been released without authorization. Analyzing which state laws may apply can be tricky because the laws are not uniform.
For example, some states require reporting under their statutes if the company that experienced the data breach does business in the state. Other state reporting requirements are triggered if affected individuals reside in a particular state, regardless of whether the company does business there. Notice obligations also may be based on the number of affected individuals and whether the breached data was unencrypted.
In addition to directly notifying affected individuals, reports to consumer reporting agencies or state attorneys general may be required. If the company does not have contact information for affected individuals, it may be necessary to distribute information about the breach on the Internet or to the media, which may trigger additional communications to ensure operational and reputational continuity.
Many statutes impose time frames within which reports must be made. Notifications should be coordinated with law enforcement to avoid adversely affecting any investigation.
Communication is Key
Both internal and external communications play crucial roles in preventing, managing and recovering from a data security breach. When comparing the company responses to data breaches below, it’s easy to see a need for a strategic, regularly-rehearsed and executed communications and crisis plans. This ensures security protocols are top-of-mind internally and external audiences are communicated with quickly, consistently and thoroughly.
A recent article by CNET’s Elinor Mills contrasts data breaches at Sony, Google and Heartland Payment System, one of the nation’s largest payment processors. What her comprehensive reporting reveals is the importance of data security, considering that a company’s entire informational history can fit on a portable drive. Breaches in data security lead to financial, legal and reputational damage that can sink businesses and organizations responsible for protecting data and privacy.
“No company that suffers a breach should feel safe from either hackers or disgruntled customers,” warns Brian Martin of the Open Security Foundation in a CNET interview. “Companies can’t take it for granted that they are just going to bounce back over time. They may have to struggle and work harder to recoup earnings and restore brand image and customer trust.”
Karl Robe, APR, counsels attorneys and executives on communications strategies that support achievement of growth objectives and overcome business challenges. Contact him at Karl James & Company LLC by emailing email@example.com.
Rebecca Grassl Bradley, JD, is an attorney and Co-Chair of the Technology Law practice at Whyte Hirschboeck Dudek S.C. headquartered in Milwaukee, WI. Contact her at Whyte Hirschboeck Dudek S.C. by emailing firstname.lastname@example.org.
Andrew J. Schlidt, JD, is an attorney and Co-Chair of the Technology Law practice at Whyte Hirschboeck Dudek S.C. headquartered in Milwaukee, WI. Contact him at Whyte Hirschboeck Dudek S.C. by emailing email@example.com.