Ten Tips to Minimize Your Risks Before, During, and After a Data Breach

Advisen Cyber Liability Journal - Doug Pollack & Jeremy Henley - August, 2012

This article is reprinted with permission from Advisen. The complete August issue can be downloaded here.

Sony, Nasdaq, Epsilon, RSA, Some big names suffered big data breaches in 2011. And they're not alone. Each year, hundreds of data breaches compromise sensitive information on tens of millions of individuals. At an average cost of $5.5 million per breach, according to the Ponemon Institute's seventh annual U.S. Cost of a Data Breach, organizations can't afford to be lax in their breach protection measures.

But how do you manage such diverse risks?

Every organization and each data breach has unique risk factors based on industry, regulatory, customer, and technical circumstances. To reduce the likelihood of a data breach, you must understand your specific risks and address them before a breach occurs. You must also plan ahead to ensure an appropriate, rapid breach response to reduce your chances for regulatory actions and litigation.

To make things more complicated, not every incident can be construed as a breach. A privacy incident is caused by a suspected, unauthorized exposure of sensitive data—personally identifiable information (PII) or protected health information (PHI). An incident becomes a legally defined data breach when this suspicion is confirmed, or cannot be proven to not have happened. In many states and industries, an incident becomes a breach when it is determined that the potential for "harm" to the affected individuals crosses a certain threshold.

With this distinction in mind, we've developed the following ten tips to help organizations successfully manage their risks before, during, and after a data breach.

Before a Data Breach

The best time to minimize your risks is before a privacy incident or data breach ever happens. Given the prevalence of such incidents, assessing risks and having a game plan are not luxuries, but necessities. The following steps can do much to mitigate the likelihood and impact of a data breach.

1. Complete an annual privacy and security risk assessment.

The cost of a risk assessment is less than 1 percent of the average cost of a data breach—a worthwhile investment, according to our analysis of our clients. An assessment identifies the data your organization holds, how they're used, and how they are protected, providing a comprehensive view into your breach risk profile. It identifies and analyzes any security weaknesses within your IT systems. A thorough assessment also identifies your legal and regulatory requirements and any gaps that exist between these requirements and your data protection measures.

2. Create a plan to assess privacy incidents

Organizations that plan in advance greatly reduce their legal, reputational, and financial liabilities. A holistic plan should cover two distinct parts of a data breach response — assessment of the privacy incident and development of an appropriate breach response (item No. 3).

As we've said, not all incidents constitute a legally notifiable breach. You should have a repeatable, disciplined process in place for analyzing the:

• Breach circumstances
• Nature of the unauthorized disclosure
• Type of data disclosed
• Applicable regulations
• Potential level of harm to the affected individuals

Under the heading, "breach circumstances," one common circumstance would be the case of a stolen or lost laptop that includes files with PII. If the laptop was encrypted and the encryption key was not disclosed, and if the laptop was shut down or otherwise was inaccessible without the encryption key, then in most states there is a "safe harbor" that would exclude such an incident from being a notifiable data breach.

Another breach circumstance would be an email of files that included protected health information to a party outside of a healthcare organization, where that party was not the intended recipient. If the email was sent to a team member of another healthcare organization, and that person confirmed that they either returned or destroyed the information and that they did not misuse it in any way, this situation would not be considered a data breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act nor under most state laws.

In using the term "nature of incident" or unauthorized disclosure, we are referring to the question of whether the incident was malicious, accidental or somewhere in between (snooping, for instance, is somewhere "in between").

If the incident was malicious, and was done by an outside party in conjunction with an insider who has credentials for authorized access to PII, such a situation would typically be intended in some way to perpetrate fraud, by using the PII of the breached individuals.

If the situation is one where a website has left "open access" to files of information with PII or PHI, in such a case, the determination as to whether this incident is a notifiable data breach is typically based on forensic analysis to determine whether the PII/PHI was "accessed" by an outside party. If such access did occur, there would typically need to be the presumption that it could have been malicious and therefore is a notifiable data breach. If forensics can confirm that the PII was NOT accessed, it would in most cases not be classified as a notifiable data breach.

You should have a documented approach and methodology for all this analysis.

3. Develop an appropriate breach response team and process

When the data hits the fan, so to speak, you should have a team already in place with clearly identified roles and responsibilities. Your team will include not just internal stakeholders, but also vendor partners who can provide immediate forensic analysis, mailing and call center services, as well as identity monitoring and protection products.

Once you have your plan, make sure to revisit and test it, as your organization's needs change.

4. Update policies and procedures to keep pace with changing technologies and laws.

More and more people are conducting business on their personal mobile devices, for instance. This bring-your-own-device (BYOD) trend enables employees to access secure network data on unsecured devices, creating an appalling number of security weak points.

The prevalence of social media sites is another issue. Your policies should keep pace with the changing world, to protect your organization against emerging threats.

During a Data Breach

Tensions are high when you discover a privacy incident. A kneejerk reaction is to act quickly and notify stakeholders immediately. Notification without proper analysis, however, can be costly, create needless worry, and catch the unwelcome attention of regulators. Take the time to gather the facts and employ a response that is "proportionate" to the potential risks to the affected population.

5. Complete a forensics investigation to determine the nature and severity of a privacy incident.

Forensics—preferably by a neutral third party—will determine what types of data were compromised, how they were exposed, how many people were affected, and whether the data were unencrypted or not. Documented third-party findings may help you create a defensible position in the face of a regulatory investigation or class-action litigation.

We recently carried out a forensic investigation of an incident where it was initially thought that 50,000 records were exposed. However, the investigation revealed that the information for fewer than 10,000 people was actually compromised, saving the organization significant costs and the unaffected people needless worry.

6. Analyze the facts to determine if the incident constitutes a notifiable breach.

Using your assessment process, analyze the incident to determine the "harm threshold" and document your conclusions. Be aware that numerous state data breach notification laws and federal statutes and rules have ambiguous language on how to determine the "risk of harm." It may be helpful to consider an expert, third party assessment.

7. If it's a notifiable breach, plan a response that meets the needs of all members of the affected population.

Your breach response should be based on both the level of risk to affected individuals and the sensitivity of the personal information exposed.

A breach of a retailer's credit cards may only require credit monitoring and identity recovery services to address the prospective harm to people's credit files. A breach involving sensitive medical data and insurance information, however, might include advisory and identity protection solutions to help with fraudulent billings and medical identity theft problems.

As with other steps taken during a data breach, be sure to document your actions here.

After a Data Breach

The effects of a data breach are not always immediate. A few additional steps can ensure the effectiveness of your response and prevent future incidents. Demonstrating an ongoing commitment to the safety of your organization's data can help create a defensible response in the event of a regulatory investigation.

8. Monitor the status of affected individuals.

Not every person whose data was compromised will become a victim of fraud or identity theft. But if they do, maintaining a tracking file on their cases and subsequent outcomes can be very useful. For instance, did you offer medical identity restoration services to victims of medical identity theft, instead of less helpful credit monitoring? Can your case workers assist with investigating and resolving common healthcare fraud scenarios?

9. Revisit your overall security risks, and close the gaps.

Before closing the door on a data breach, review your overall security risks and profile. This includes more than eliminating the cause of this particular breach: for instance, encrypting all laptops if the cause of a breach was a stolen laptop. What about training employees on appropriate privacy and security measures or updating policies and procedures for employees and their mobile devices? An annual privacy and security risk assessment can help you allocate resources for data breach prevention.

10. Assess your cyber liability risks and the potential benefit of insurance.

Cyber insurance can be helpful in covering the unpredictable costs of a data breach. Reviewing your cyber coverage post-breach can give you a good insight into the effectiveness of your policy. You might ask yourself these questions:

• Did their panel provide you with a choice of vendors, such as legal counsel, forensics, or breach response providers that fit your requirements?
• What about its sublimits? Maybe your million-dollar policy only covers $50,000 in legal advisory fees. Was that enough?
• How did the policy influence your level of control over the data breach response processes? Did you have flexibility and choice, or were you limited to prescribed methods by your carrier?
• Did participants in the response plan understand how and when to involve the insurance carrier—and who to contact—or do new roles and responsibilities have to be defined for coordinating timelines with insurance carrier notice requirements?

Conversely, if you don't have a cyber-liability policy, it's important to carefully evaluate your needs against a policy's offering. Decision points include: considering whether you need to fill coverage gaps that may exist under traditional liability policies (for breach notification costs, for example): the limitations of specialty cyber policies (for lost devices or third-party breaches, under some policies); and the appeal and limitations of value-added services (policies may offer free legal advice or educational webinars, but some may require the use of pre-approved vendors for breach-response services.)

Putting It All Together

Not all data security incidents are data breaches, and no two data breaches are alike. Given their unique, unpredictable nature, data breaches must be handled with care. (An accompanying "Management Tip Sheet" summarizes the common steps to follow before, during and after a data breach.)

Careful planning, thoughtful analysis, and a tailored response can mitigate the risks of and effects from a data breach and ensure the most positive outcomes for your organization and the customers you serve.