Our guest blogger this week is Reed Freeman, Partner, Morrison & Foerster, LLP.
The proliferation of state data breach notification laws, substantive state information security laws (such as the Massachusetts data security standards), and FTC and private lawsuits on information security matters has led to heightened attention to information security in both IT budgets and staffing and in terms of legal resources. With budget pressures all around (not to mention time pressures and the pressures of other duties that in-house counsel already has), the question becomes: How can my organization lower the time and dollar costs associated with information security when there is a breach? The answer is to anticipate potential breaches of data security and have a detailed plan in place so that you can respond quickly, properly, and efficiently.
The absolute key to this is to have a written data security plan. This is something the FTC has been pushing for years in business guidance documents and as well as in the FTC’s own enforcement actions. For example, in the FTC’s most recent data security case, the respondents were required by order to develop and maintain an information security plan that includes a requirement to identify all material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. One key element to an incident response program is identifying where the risks are likely to come from.
The other key elements to an incident response program are intuitive, but need to be written down, made into policy, and, believe it or not, rehearsed.
- First, there should be one or a handful of key contacts for actual and potential information security breaches.
- Second, relevant staff should be trained on what may constitute a breach, how to report it, and to do so immediately upon discovery.
- Third, any actual or potential unauthorized access to personal information must be investigated immediately. Time really is money here; the longer the breach lasts, the more exposure the organization may have. It may be necessary to involve a forensic firm to assist you in this process. Interview firms now and have their contact information ready. Many of these firms are true experts with exceptionally talented staff who are able to and used to moving quickly to investigate an actual or potential breach.
- Fourth, if the report appears to have validity, take steps to close off existing vulnerabilities or threats to the unauthorized access to personal information immediately.
- Fifth, the investigation must get immediately to the key questions – what, when, how, who, and where – so that you can make sound decisions on how to respond.
- What: What data and what systems were compromised? Are you certain that this is the full extent of the compromise?
- When: When did the unauthorized access begin? Is it ongoing?
- How: What is the means of unauthorized access? Data leakage? Theft? Could an employee or vendor have been involved? Intrusion through technical means or physical means? Failure to maintain strong enough passwords or other authenticators? Failure to have tight enough controls over access to personal information internally and externally?
- Who: How many individuals’ records have been compromised or are at risk of compromise? Are these employees, customers, potential customers (such as website visitors), or vendors?
- Where: Where is the location of the compromised system, where did the attack come from, and, most importantly, where to the affected and potentially affected individuals reside?
Applying immediate attention to these issues will save time and money and facilitate an efficient decision-making process. The answers will help you determine if you have an obligation under federal or state law to notify consumers, employees, law enforcement, credit bureaus, and other businesses that may be affected by the breach. You will also have an early indication on whether the breach will trigger the attention of your merchant bank (in the event of a credit card breach), which could lead to the application of the Payment Card Industry’s Data Security Standards to your overall information security problem.
- Sixth, after taking stock of the breach and determining your appropriate course(s) of action, don’t forget to go back to your overall information security program to see if it needs to be updated. The breach may have highlighted areas of vulnerability that need to be reassessed and tightened in order to prevent a future breach.
Breaches happen. If you don’t think it could happen to your organization, just take a look at www.privacyrightsclearinghouse.com to see the vast number of private and public organizations whose breaches have become public. Of course, it is imperative to have a sound information security program in place to try to prevent all potential means of a breach, but it is also critical — and just plan smart – to be prepared in the event that there is a breach. An ounce of preparation now will save time, headaches, and unnecessary potential exposure down the road.