There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation firms provide good information on threat vectors, industry targets, and response trends. However, not every incident requires a forensic investigation, and there are few sources that cover the other types of incidents (e.g., lost unencrypted backup tapes, inadvertent disclosures, device theft).
This gap was one of the reasons that drove BakerHostetler’s Privacy and Data Protection team to review statistics from more than 200 incidents we worked on with clients in 2014 and release our inaugural 2015 Data Security Incident Response Report, which shares some of the insight gained from those matters. We followed that with a series of eight “deeper dive” blog posts, using the benefit of our experience from responding to more than 1,000 potential incidents to explore issues identified by the report in greater detail. Data security and incident response preparedness, as well as privacy and information governance, are among the most challenging issues confronting companies. In our experience, the companies that are best positioned to respond are those that accept and plan for the inevitable through defense in depth, segmentation, and rapid detection and containment; ongoing efforts to monitor threat intelligence and adapt to changing risks; and testing and refining incident response plans by conducting mock-breach exercises in tabletop sessions.
Ultimately, we believe our incident response report can be used to enhance efforts by companies to become “compromise ready” – an incremental and continuous process of identifying threats, prevention and mitigation, and response preparedness.
Below is a summary of the eight “deeper dive” blog posts, written by members of our 40-lawyer Privacy and Data Protection team, which has been highly ranked by Chambers USA and Law360. Just click “More Information” to go to the full post.
Test Security and Create Layered Defenses: Does your company have an obligation to implement reasonable security to protect information? Start with an assessment of your security practices and test your defenses. Retaining security consultants through legal counsel may protect some of the work product from disclosure. More Information.
Assess and Mitigate Risks and Develop a Compliance Program and Culture: An ounce of prevention is better (and cheaper) than a pound of cure. Use privacy and security assessments to establish a mitigation plan and develop a robust privacy, data protection, and information governance program. More Information.
Account for Human Error: Our report found that employee negligence and theft are two of the top five causes of the data breaches. To mitigate this risk, look not only to make sure your own house is in order, but also consider ways to reduce risks associated with vendors and cloud providers, whose staff is not under your control. More Information.
Beware of Paper Records: Digital breach is an obvious risk. However, one in five breaches we handled last year involved paper records. Your data protection program, including your education and awareness efforts, should not overlook these. More Information.
Post-Incident: Have an incident response preparedness plan and train for security incidents. When they occur, do not assume every incident triggers reporting obligations. The nature of the incident will determine not only whether notice is required, but also what steps you should consider to try to avoid litigation or regulatory investigation. More Information.
Regulatory Investigations: If there is a serious incident, prepare for a potential regulatory investigation. There are a number of things we have found that minimize the risk of an investigation or the outcome if an investigation is opened. More Information.
Healthcare: However, we found that 100% of our healthcare breaches were investigated. It is now common for OCR to look back over six years of your policies and practices. Keep risk assessments and risk management plans up to date and maintain records of them going back at least six years. More Information.
Retailer Liability: If you handle payment card data and fail to meet certain industry security standards, you can face significant fines, fees, and liability through card networks to reimburse affected issuing banks. This is the case even if the incident was the fault of a vendor that a retailer relied on. More Information.
“Becoming Compromise Ready – How to Identify Threats and Prepare for Data Loss Incidents” – On September 1, Craig Hoffman, along with representatives from Mandiant and Procter & Gamble, will conduct an IAPP webinar to share findings from the report and actionable preparedness guidance.