By Billee Elliott McAuliffe
From the news on television or stories on the Internet, it may appear that only large companies in certain industries are the targets of hackers and the victims of data breaches. But, that is in no way true. No company, no matter the size of the industry is safe. And, we are all the victims of these data breaches.
Ten years ago, most companies’ approach to cybersecurity and data breaches was reactionary. Companies did not have adequate plans in place to handle breaches and executives were often dumbfounded and caught unaware when a breach occurred. After a number of big players (e.g., Anthem, Target, Equifax) fell victim to cyberattacks, more companies began to understand the need for robust cybersecurity, business continuity, and incident response practices and procedures. Despite this, many companies are still lagging behind.
The Poneman Institute, in its 2018 Cost of Data Breach Study: Impact of Business Continuity Management, which was sponsored by IBM, surveyed 477 companies in 13 countries that experienced a data breach in the 2017 calendar year. Each of these data breaches involved the compromise of 2,500 to 100,000 records containing personal information, which cost these companies on average $148 per compromised record. But, according to the Poneman Institute, the costs per record are not all equal; costs grow exponentially with the number of records breached. The Poneman Institute estimates that the cost of a 1 million record breach is approximately $40 million while a breach of 50 million records is $350 million. That seems like a large bill to pay for a situation that may have arisen from an employee leaving a laptop open in an unsecured location, a business failing to discover a vulnerability in the company’s information technology systems or an employee clicking on a nefarious link in an email.
With costs of a breach this high, one would think that every company would have elaborate cybersecurity, business continuity, and incident response practices and procedures in place. Yet, only 55 percent of those surveyed by the Poneman Institute had a business continuity management function or disaster recovery team that was involved in enterprise risk and crisis management. This was to their detriment. Prevention is truly the best medicine when it comes to data breaches.
Hackers often look for information that has value, such as an individual’s name plus his/her bank account number, social security number or credit card number. Ensuring that your company’s practices and procedures with regard to these types of information provide adequate protection should be the cornerstone of your planning. However, you also need to plan for how you and your team will respond when this valuable information is compromised.
When companies have taken the time to think through and formulate comprehensive incident response policies, the incident response times and costs are significantly reduced. According to the Poneman Institute study, there was a 6.5% reduction in the per capita cost of a data breach and a 44-day reduction in the average time to identify a data breach in companies that had business continuity management/incident response programs in place over those that did not. This works out to be a difference of $690,000 in the average total cost of a data breach ($4.24 million average total costs without business continuity management/incident response programs and $3.55 million for those with such programs) for companies that have robust practices and procedures in place.
Because there is not an overarching federal policy on data breaches, compliance can be complex. There are certain federal rules pertaining to particular types of personal information and certain sectors of the economy, like protected health information, which is protected under the Health Insurance Portability and Accountability Act (“HIPAA”). There is also nonpublic personal information, which is protected under the Gramm-Leach-Bliley Acts of 1999 (“GLBA”) and applies to financial institutions such as banks and lending institutions. But, for the most part, general data protection laws come at the state level, some even getting down to the county and city level, and, unfortunately, these are laws are far from uniform.
Adding to the compliance difficulty is that many companies are not aware of which laws actually apply to their given data breach. Generally speaking, most of the laws regarding notifying affected persons after a data breach has occurred, the residency of the affected person is the determining factor in which law applies. For example, if a Missouri resident makes a purchase from a business in California, and that individual’s information is stolen, the California company would have to comply with Missouri laws with regard to notifying such resident of the data breach. Additionally, since the company was doing business in California, certain California laws may also apply to such company’s use of the individual’s information. In other words, one company may have to comply with 50 different laws when making notifications for one single data breach. And, the timeframes for providing notice under some of these laws are very short. You may be subject to providing notification within 72 hours of you becoming aware of the data breach. Hence, being prepared and having a well-thought-out plan are crucial.
Why are companies not instituting these robust practices and procedures?
Most likely, it is the time and money required to implement these types of cybersecurity, business continuity, and incident response practices and procedures. Significant time and effort must be spent understanding the totality of the companies’ systems, how personal information is used and stored and what persons or entities are interacting with such information and why. Further, leadership has to think about all the different places, both likely and unlikely, where a breach could occur.
Additionally, this analysis should not be limited to just your companies’ systems, practice, and procedures. It also needs to include your vendors. For example, with the Target breach, the bad actor’s access to their systems was traced back to an HVAC system provider’s network credentials that had been stolen. Therefore, you need to analyze what third parties have access to your network and are that access appropriate for the services being supplied. Does an HVAC provider need to have access to the systems where credit card information is housed and if not, you need to ensure that that HVAC provider’s access is appropriately limited. If this vendor does require that type of access, then you need to ensure that it has the appropriate practices and procedures in place to prevent intrusion to your systems occurring through such vendor’s systems. This may require a review of your contacts with the vendor to include the appropriate contractual obligations on such vendors.
Furthermore, a company needs to understand what types of information are at risk in which systems and how to handle those different risks within its practices and procedures. The personal information at risk if someone breaks into a computer in human resources will different than a computer in sales. These differences need to be evaluated and the practices and procedures need to be modified according.
What are some of the best practices to mitigate the risk of a data breach that should be built into these practices and procedures?
Your practices and procedures should:
- Be flexible enough to allow for changes in risks and attacks. Additionally, the types and levels of security measures need to fit the value of the information and the potential risks to such information.
- Include appropriate monitoring of your systems and regularly testing for vulnerabilities. As the Ponenam Institute study shows, the faster a breach can be identified and contained, the lower the cost to the company.
- Provide for education and training of your employees on recognizing a potential attack and taking the appropriate steps if they believe an attack is occurring or has occurred.
- Have a comprehensive incident response plan that will be implemented by a designated incident response team with clearly defined roles. Determine who will manage the technical side of the breach response (i.e., containment, remedy and mitigation), who will handle notifying the affected persons and governmental entities and who will respond questions from customers, clients, vendors, governmental authorities and/or the media.
- Provide for periodic review and update of the practices and procedures
You’ve experienced a breach. Now what?
Stay calm and follow your incident response plan. If you don’t have one:
- Stop or contain the attack, remedy the issue and mitigate the damage.
- Start an investigation to determine what data has been accessed or compromised.
- If a crime is suspected, contact the local police or appropriate federal investigative agencies.
- Contact legal counsel. Members of the Lewis Rice Cybersecurity & Data Privacy Group are continuously monitoring and reviewing the ever-changing data privacy and protection laws and we are here to assist you.
- Contact your insurance provider. Most companies today have some form of cyber incident coverage within their insurance packages.
The Aftermath of a Breach
Depending on how the breach occurred, you may need to change how your company operates. You should take some time to look at how you and your team identified and handled the breach especially where problems arose, and learn from those experiences to avoid future breaches and/or response issues. You may want to consider the following:
- Do you need to provide additional training to your employees so that this type of intrusion does not reoccur?
- Do you need to create additional or modify existing policies or procedures to better respond to similar situations in the future?
- Do you need to change vendors or institute new requirements for vendors to avoid this type of third party intrusion?
- Do you need to include a defined incident response team into your incident response plan?
- Do you have the appropriate security measures in place? Do you need to modify any security measures?
Education and planning are key to successful crisis management. Unfortunately, in the world we live in, data breaches are going to occur. Working with legal counsel to develop good, robust cybersecurity, business continuity, and incident responses policies now, will help you respond, both internally and externally, to such breaches in an appropriate and timely manner. It will also reduce the effect of such breaches on your business, decrease the stress and anxiety that come with these types of situations and, hopefully, reduce the ultimate cost of such breaches to your company.
About the Author
Billee Elliott McAuliffe is an attorney with Lewis Rice in St. Louis and is a member of the firm’s Cybersecurity & Data Privacy Group. Along with information technology law, Billee has extensive experience software and other technology licensing, cybersecurity and data privacy. Lewis Rice is a corporate member of the International Association of Privacy Professionals (IAPP), a premier global information privacy community.