Data Breaches - Lessons Learned the Hard Way

Posted by Michael Titens“If only someone had told me that this could happen to me!”That is the sentiment we hear in our clients’ voices when they call to ask for help responding to a data breach, ransomware attack, or other cyber incident.  Each call is different, but common elements emerge.  Here are some lessons we have learned and some advice people wish they had heard sooner.1. Data Inventory (do you know what you have?) and Data Hygiene (do you still need it?)After a cyber incident, one of the first questions we ask our client is, “What data did you have?” The type and scope of affected data will drive decisions about remediation, third party notification, contractual obligations, and other matters.However, the only clients who can efficiently answer this question after an attack are the clients who understood their data before the attack. Two categories of data that trigger most legal requirements – personally identifiable information (PII) and health information – can be found in employee files and in credit applications and other documents received from third parties. Breach preparation begins with a data inventory and mapping to catalog in detail the data you have and where you keep it: Is it in a central server, or is it segregated from other servers (or better yet, kept offline)? Who has access to which data, and can they access it remotely? What about important proprietary data, trade secrets, and email communications? The next step is data hygiene and evaluating whether you still need to keep all of the data you are storing. In one recent attack, a company faced notification obligations to thousands of people it had not done business with in years. Nevertheless, historical account information was still stored on servers connected to the Internet, and so was within reach of the hackers. Had that historic information been stored offline, or even deleted, the burden and expense related to the breach could have been greatly reduced.Also, you should consider encrypting both data stored on your system and data sent from your system. End-to-end encryption serves multiple purposes. It protects the privacy of the data itself; it can create an exception to notification obligations that would otherwise apply following a breach; and it also may be a data security obligation you have undertaken in an insurance policy or other contract. In some cases, end-to-end data encryption is statutorily required.2. Practical Protection Against Ransomware – Resilient BackupsBusinesses, including healthcare providers and governmental agencies in particular, face ransomware attacks with ever-increasing frequency. In a typical ransomware attack, the attackers breach your system, encrypt your data, and then offer to provide the decryption key in exchange for a ransom payment, usually in digital currency such as bitcoin. Many businesses can’t operate without that data and have no choice but to pay the ransom and hope that the decryption key works to unlock all of the encrypted data – and that the attacker doesn’t return with another demand.On the other hand, businesses that have recent backups of their data may not need to pay any ransom at all. They can restore the backed-up data (often on a newly purchased computer system) and carry on with business with minimal interruption. But not all backups are equally resilient. One client found to its dismay that all file modifications inserted by the attackers were automatically backed up in the client’s archives, which meant that when the client’s main system’s files were infected, the infected files were then synced to the backup system as well, overwriting the files archived there. Maintaining an offline backup, or a backup that stores previous versions, can be vital to recovering from a ransomware attack.3. Law Enforcement – they may be your friends, but don’t expect the authorities to solve your problem.Both the FBI and the Secret Service have extensive resources to investigate cyber incidents and  track down the culprits. Reporting an incident to law enforcement is often one of the first steps taken by a cyber attack victim, and such reporting can enable law enforcement to identify patterns and warn other potential victims. However, law enforcement’s primary goal – to find and prosecute the hackers – is not necessarily consistent with your goals of finding out what happened, how it happened, and how to restore your systems. There are many instances when notifying law enforcement will not be as high a priority as conducting your own forensic assessment, managing internal and external communications, and assessing your own legal obligations.4. Cyber Insurance – It seems expensive, until you need it.A couple of years ago, a retailer called and told me about its breach. Point of sale devices had been compromised and credit card data stolen. This retailer would be launching a computer forensics investigation and then facing legal compliance and customer notification costs, all running into the hundreds of thousands of dollars. When I asked about cyber insurance, the retailer explained that while management had considered purchasing a cyber policy, it seemed too expensive at the time. In this case, nearly all of the remediation expenses were precisely the types of expenses that a cyber policy would have covered, all for a premium far less than the out-of-pocket expenses the retailer ultimately incurred.This retailer’s experience and others like it have led me to conclude that nearly every business should have cyber insurance coverage. Policies differ in various respects (including the sub-limits that might apply to certain types of losses), but cyber underwriting has improved, and premiums and policy terms are becoming more competitive. Perhaps you will never need the coverage, but more and more businesses are finding themselves on the wrong end of cyber incidents and paying a high price to deal with the fallout.5. Legal Compliance – Notification laws that apply to you may not have been written with your business in mind.Nearly every state has a breach notification law, and no two of them are exactly alike. These laws can require a breached business to provide notice to affected individuals, state attorneys general, and credit reporting agencies – sometimes in as little as 15 days. Many federal regulatory agencies also have notice requirements applicable to certain industries, including banking and communications. In addition, under HIPAA and corresponding state laws, healthcare providers and their business associates face strict regulation on privacy matters that is aggressively enforced. Multi-million-dollar fines have been levied for loss of covered data or loss of devices (such as laptops, tablets, and smartphones) that contained covered data.Unfortunately, determining which of these laws and regulations apply to you and what they require following a breach is not straightforward. For example, to determine whether a state’s breach notification law requires notice to an affected individual, you may need to determine that individual’s state of residence, whether you “do business” in that state, whether the hackers exfiltrated the data from your system or merely gained access to it, whether the affected data was owned by you or was being held by you on behalf of another party (and if so, who), whether the data was encrypted, and whether disclosure of the data would be likely to result in harm to the affected individuals or entities, among other things. Each of these questions can be difficult to answer when only limited information is known about the incident, and it can take weeks for a forensics team to be able to provide the information you need. Plan on operating under uncertainty.6. Plan Ahead – Who ya gonna call?So what can you do now, before an incident occurs? In addition to the suggestions mentioned above, some basic preventive measures include keeping your operating system, software, and antivirus programs updated and patched, using strong passwords and dual authentication (including on laptops and other mobile devices), and training employees to recognize and report security threats.Sometimes, though, even the best policies and procedures will not prevent a breach. An effective response then depends on having an up-to-date incident response plan that identifies a team of employees and contains phone numbers for them and key external resources, including your outside forensics, legal, public relations, and insurance providers. Best practices include periodically gathering the team on short notice to conduct practice responses to various types of hypothetical cyber incidents. This advance planning will significantly increase your ability to gather your team and launch your response quickly and confidently should an incident arise. With proper planning and the right team, you will be in the best position to manage whatever event may occur.