BC planners are prolific readers -- always searching for best practices and ways to improve their plans. Data breaches have been a hot topic for several years now, yet most published articles on the topic are about what happened and what was learned in terms of prevention. Specifically, the focus is most often on information security. This article takes a very different perspective, one that is much more useful to BC planners. To make that happen, as with any disaster, the organization needs to consider that data breaches are inevitable.
Data breaches are inevitable. Certainly, IT Security puts in place capabilities to help prevent data breaches, mitigate the risk of them occurring and to respond to those breaches when they occur. In a number of cases, those same stakeholders are (or should be) concerned with what to do after a breach because of their potential impact on the continuity of operations of the organization. Breaches have occurred and will continue to occur, even at organizations with robust business continuity programs, information security programs, information protection programs and IT disaster recovery programs. It’s not that existing information security and protection programs and associated measures are ineffective. Rather, there are always paths for mission critical data and information to make its way around the security measures, however difficult and unlikely that may be. People lose computers, smart phones and other memory devices; trusted people can change and there is always a compromise between the need to access data, the convenience in doing so and the need to protect the data. Making information more secure generally makes it less convenient to access, store, process, use, share, and discard or destroy.
Those organizations that lose data during a breach are in good company. Examples of breaches at large, seemingly well-protected organizations abound. Even IT security companies such as EMC’s RSA have had high profile breaches. It can happen to any organization, and given the frequency of highly publicized breaches, it seems quite common.
The National Crime Prevention Council reports that domestic firms lose upwards of $250 billion annually through theft of digital information. One of the highest profile cases to date occurred in January 2007 to TJX, parent company of T.J.Max and Marshalls. TJX announced that 45.7 million credit and debit card numbers were hacked (Vijayan, 2007; Kerber, 2007), but the extent of loss -- number of people affected and length of time/severity -- was not known for years. Hackers obtained account numbers and relevant personal information, security codes, passwords and PINs to use the account numbers over a long period of time without detection. Eventually, over 100 million cards were involved, and the cost to TJX for fines, settlements, audits, security costs, etc. was reported at nearly $500M. It is difficult at best to estimate lost sales, reputation damage and loss of confidence by investors. Data breaches are not uncommon, they can be devastating and they are not preventable.
This all begs the question: Why don’t organizations with robust business continuity, IT disaster recovery, emergency management and other contingency plans include robust guidance and preparedness for data breaches in their continuity plans? Perhaps the non-violent nature of a data breach misrepresents its potential to have a significant impact on business operations and financial performance. A data breach can quickly destroy an organization’s reputation, severely restrict its ability to conduct business, incur liability far in excess of the organization’s assets, and cause real and severe harm to stakeholders. Recent history suggests that organizations are far more likely to be dealing with a data breach than nearly any other form of disaster.
Why Not Focus On Prevention Instead Of Mitigation?
The simple answer is again that data breaches can’t be prevented. Like insurance policies, BC plans don’t prevent hazards from occurring, but they do provide organizations a means to perform certain mission critical business processes during and after an incident. All-hazard business continuity plans traditionally provide for some level of functionality despite the loss of facilities, people and/or systems. It doesn’t matter what happened to the building, just that it can’t be used for a certain period of time.
Given the costs associated with data breach and its affect on reputation, it makes sense to develop and document the management process for responding to breaches and returning to normal business operations. Further, including such guidance in existing BC plans may enable an organization to leverage its existing incident management and emergency response infrastructure.
Defining ‘Data Breach’ For An Organization
There are a multitude of definitions for a data breach, both practical and legal. Practical definitions vary by what the data is, while legal definitions vary by jurisdiction -- typically by state. It is important to define what a data breach is for each organization. A good example is from the U.S. Department of Health and Human Services:
“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html)
Using the definition above, the data that’s been breached may include information about a person or multiple people that’s of a personal nature (address, telephone number, etc.) along with the person’s name, and/or other information required to access money, i.e. combinations of name, address, social security number, passport number, alien registration number, health insurance information or other personal health information, financial account information, credit and/or debit card numbers. (Massachusetts 201 CMR 17.00: Standards For The Protection Of Personal Information Of Residents Of The Commonwealth). Hackers may also target information systems or applications that house proprietary, legal and other sensitive non-public information, as well as vulnerabilities and associated information about critical infrastructure.
The Nature Of A Breach: Scope, Timing & Recognition
All breaches are caused by people, but their motivations for doing so vary greatly. Hackers can act alone or with others, be part of an organization, and be domestic or foreign. They can be motivated by greed, ego, revenge or a purpose. But the scope, timing, recognition, and response to a data breach ultimately define the nature of the breach. Determining the scope of a breach can be challenging because of timing. It concerns what data has been exposed, accessed, compromised and/or misappropriated. Timing is complex because it involves more than one point in time. It is often hard to establish when a breach began and/or ended, when it was discovered and for how long the data was exposed or accessed. There are so many timing scenarios: data exposed for a fixed period of time without knowing whether it was accessed or not; data exposed multiple times over a long period of time on a random basis; or data accessed long ago but just discovered recently.
Recognition can come from system performance issues, a threat, system logs, audits, unusual activity, private data public exposure or notification by a third party. Recognition spans the entire organization and its stakeholders, as well as third parties -- any one of whom may be the first to notice and report something amiss. Educating this broad group to know what to look for and who to call is prudent, i.e. “See something -- Say something.” Once reported, IT and IT security need a robust and timely process for deciding what has occurred, if anything, and initiating an appropriate pre-defined response. That response generally invokes some incident response plan that engages other stakeholders. Every minute counts because delays can be very costly.
Scale Response To Size/Effect Of Breach
Having confirmed the likelihood of a breach, an appropriate response must be determined based on the size and effect of the breach, how many people and organizations were affected, the type of data involved and how it was used. For example, large scale breaches may require large scale notifications (of customers, employees and other stakeholders), involvement of insurance carriers, provision of credit services and other substantial and expensive actions. Guidance needs to include multiple levels of response for different sizes and types of breach.
Managing A Breach
Leveraging and updating an organization’s existing business continuity plans and/or IT disaster recovery plans for a data breach may mean that an overview of the organization’s data breach incident response process will be incorporated into the existing plan documentation and cross referenced to more detailed documentation. It makes good sense to define how the Incident Command System (ICS) or other existing incident management process will work for a data breach because, once it has been determined that a data breach has occurred, speed is of the essence in forming the response team and leading the response.
There are time-sensitive actions that must occur immediately after a breach is confirmed:
- Activate the response team (described below)
- Engage IT to contain the breach
- Engage legal and provide legal notifications as required by regulators
- Engage senior management (given the risk to the organization)
- Engage Corporate Communications for mass notifications, if warranted
- Engage insurers, who can provide resources at time of response and who may provide helpful guidance in advance of the response
Depending on the nature of the organization, the incident response team may need to include representation and participation from IT Operations, IT Security, Physical Security, Legal, HR, Communications, Public Relations, Privacy, the Business Continuity Program Management Office (PMO) and Operations, in addition to senior and/or executive management. Knowing what type of breach has occurred can also help determine who else should be added to the response team, such as sales, marketing, service or customer care. It is often prudent to include groups that work with stakeholders such as Regulatory Affairs, Government Affairs, and Investor Relations, plus any representatives from Internal Audit and the standing emergency response group since they may be helpful in leading the response.
IT and/or IT Security play a vital role early in the response by determining the cause of the breach and containing it. As part of planning, IT needs the authority to act without a prolonged decision process. For example, IT may see a need to shut down the organization’s Internet connectivity. Going up the chain for such a decision may take too long to be an effective defense. The fallout from a shutdown that later turns out to be unnecessary is probably far less than letting a breach continue while a decision is contemplated.
A Critical Partnership During A Crisis: Legal & Communications
Internal communications and public relations engage and inform stakeholders. Attorneys typically work to avoid liability and obtain remedies when appropriate, and generally preserve an organization’s rights. During a crisis, and, in particular, when formulating plans to address a data breach, their collaboration and input is critical. Specifically, there are complex and at times conflicting requirements for reporting data breaches. These include notifications to customers, state Attorney General, employees and others. Depending on the industry, regulators may also need to be contacted. Legal and Communications need to be in lockstep for the timing, content and audience of all breach communications.
Many states specify the content and timing of these communications. Complexity comes from satisfying multiple jurisdictions. A key point: even a local or regional business may need to satisfy requirements in all 50 states if the data breach impacts clients in all of those jurisdictions. And it’s not simplified much by finding out which jurisdiction has the most onerous requirements, though that may help your organization. Legal guidance is still required to determine if meeting the most onerous requirements is a means to meet the other states’ requirements.
Perception Is Reality: Reputation
Complying with legal requirements doesn’t necessarily protect reputation even though the organization’s response defines public perception of it, just as doing the right thing doesn’t always appear so. Most leaders think that they communicate effectively, and many if not most do. But public relations professionals know how to communicate with the public to create specific perceptions. Responses that do the right thing may appear inept or pre-planned, crisp and professional. It will matter, for example, to public perception whether the organization exposed the data or if the organization was the victim of a sophisticated, determined and well-armed enemy.
Consider that in both scenarios, data was breached. Public opinion will form as to whether the company adequately protected the data with which it was entrusted. How the facts are presented along with how the organization responds will largely determine that opinion.
It also matters little to public officials whether the public has accurate perceptions as long as those perceptions align with their views and needs. In some cases, it may be good for their image to be seen as public protectors, not just from the hackers but also from the hacked, and they will help form that perception. Keeping the Attorney General informed by a representative of the hacked organization, as their primary source of information through previously established good relations, is invaluable.
Having communications prepared in advance that can be tailored to the specific incident is also a best practice because regulators expedite the notification processes with the intent of protecting consumers. Consumers and the general public can hear about the breach from the organization, or they may hear about it from another source. The process is often unforgiving.
Numerous examples of data breaches can be found on the New Hampshire Attorney General’s website (http://doj.nh.gov/consumer/security-breaches/). The site contains the documentation used by organizations to inform stakeholders of a data breach. These documents should be prepared, as much as possible, ahead of time to aid in a timely response.
Many organizational incident response plans follow some form of incident management system based on FEMA’s Incident Command System (ICS) (training.fema.gov/EMIWeb/downloads/ICS100.ppt ) or another recognized system. It makes sense to leverage existing and mature processes like ICS. One pearl of wisdom within ICS is to appoint a scribe or other means of documenting as much of an incident and the response to it as feasible. IT should have processes in place for preserving forensic evidence, but it’s at least as important to document the response. Such documentation shows prudency, preparedness and the overall will to care for the organization’s stakeholders as best it can after having been the victim of a data breach. Planning for that sequence of events allows for lessons learned as well as ongoing comparison between actions and checklists. Document everything but do so in lockstep with legal advice to avoid creating unintended discoverable content.
For their disastrous reputational and financial consequences, coupled with the near-100 percent likelihood of occurrence, data breaches should be seen as one of the organization’s most significant business continuity challenges. Planning can help to mitigate and avoid the legal and reputational risks that otherwise accompany such incidents.
The requirement to organize and manage a rapid and comprehensive response to a data breach justifies including data breach guidance in business continuity plans and IT disaster recovery plans. The response to a data breach is complex and requires collaboration across an organization, as well as resource commitments from knowledgeable representatives within the organization. These include the Incident Commander, Legal, Communications, and certain other key stakeholder groups that must be pre-staged with documented notification and reporting protocols. Executive management engagement ensures a complete and timely response as well as an informed capability to drive improvements in the overall incident management system.
Kerber, R. (2007). Cost of data breach at TJX soars to $256. Boston Globe, August 15, 2007
Vijayan, J. (2007). TJX data breach at 45.6 million card numbers, it’s the biggest ever. Computer World, March 29, 2007.
New Hampshire Attorney General’s website: http://doj.nh.gov/consumer/security-breaches/
Federal Trade Commission: http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html
FEMA ICS Training: http://training.fema.gov/EMIWeb/downloads/ICS100.ppt