By Steve Viuker
Just like a day at the beach can turn nasty without warning, so too can a data breach hit.
At a recent cyber event, Lisa Clark, a partner in the Philadelphia-based firm of Duane Morris, explained what to do when a company suspects a breach. “The [questions] I ask [are], ‘What’s the basis for the suspicion? Could it just be a security incident, or does it really meet the definition of a breach under applicable federal (e.g. HIPAA) or state law? Who discovered it and when?’ These are all important questions in order to position the company to fulfill its legal obligations with respect to a breach.”
Assuming it is a true breach, then the company should follow its incident response plan. This includes consulting a lawyer to preserve attorney client privilege; continuing to investigate the situation, and hiring outside forensics; notifying the insurance carrier; and contacting the government, depending on whether the breach could constitute a crime, such as a suspected theft of data.
“Once the breach is defined, next steps will include notifying affected individuals and federal and state government agencies depending on what law applies,” Clark said. “The media may have to be contacted as well, and credit monitoring may need to be offered.”
The incident response plan should also lay out who will do what. “One of the biggest problems we see in breach response is the lack of coordination among different members of the workforce during a breach response: said Clark. “The CIO may call in forensics, the CEO may call the lawyer and someone else may begin to write the notice letter. The response needs to be carefully coordinated at every level.”
“We work with tech companies to find solutions for our clients,” explained Steve Rubin, a partner at Moritt Hock & Hamroff focusing on cybersecurity. “We might point out a password problem and the tech firm will have a solution. We also document the solutions so as to lessen the legal responsibilities of a company. The biggest mistake we see is companies that have cybersecurity issues call in a tech firm, and if the tech firm generates a report saying this is what we found and if you get sued, that report now has to be handed over to the side that sued you. It’s far better if you hire a lawyer first, who can then hire the tech firm. That report is then privileged and can be kept from the other side.”
Incident vs. breach is an important distinction, said Ben Goodman of 4A Security.
“A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices,” he explained. “A breach is an unauthorized acquisition, access, use or disclosure of protected information which compromises the security or privacy of such information.”
Goodman listed the steps that should taken prior to an incident:
Have you identified your most valuable/critical information assets?
Have you conducted a risk assessment lately
Do you have an incident response team?
Are you monitoring your logs and alerts?
Do you have an incident response plan?